Microsoft has asked the UK’s Business and Trade Committee to correct the parliamentary record after a senior Microsoft executive gave testimony that understated the company’s operational role in the suspension of an International Criminal Court (ICC) prosecutor’s Microsoft-hosted email — a small sequence of events that has become a large signal in Europe’s accelerating debate over digital sovereignty, vendor trust and the limits of so‑called “sovereign cloud” promises.
On 10 February 2026 Microsoft’s senior director for corporate, external and legal affairs, Hugh Milward, told the House of Commons Business and Trade Committee that the ICC — not Microsoft — decided to suspend access to the email account of ICC Chief Prosecutor Karim Khan amid US sanctions. Milward said the company “worked with the ICC throughout the whole period” and that “it was the ICC’s decision to terminate and respond to that sanction, not Microsoft’s.” (committees.parliament.uk)
A follow-up exchange made the point sharper: when challenged that Microsoft must follow US sanctions, Milward replied that the ICC “has the ability to switch on and off their own users” and “makes the decision whether it continues to provide service to one of their employees in response to the US sanction.” That exchange — recorded in the committee transcript and the public video — became the focal point of reporting and public scrutiny. (committees.parliament.uk)
Following media attention, Microsoft told a reporter it had apologised to the Business and Trade Committee for an “inaccuracy” and asked for the hearing record to be corrected. Microsoft’s quoted comment said the company had been in contact with the ICC during the process that resulted in the disconnection of the sanctioned official, and insisted that “at no point did Microsoft cease or suspend its services to the ICC.” That statement was supplied to the press as Microsoft’s immediate comment. Readers should note this particular company comment has been reported to the press rather than published as a separate Microsoft press release; independent public confirmation of the correction request is limited to Microsoft’s statement to journalistsbecause it changes whether the exchange was a misremembered description of roles or an actively misleading assertion.
On 10 June 2025, Anton Carniaux, Microsoft France’s director of public and legal affairs, told a French Senate commission that he could not guarantee that French citizens’ data would never be handed to US authorities where a lawful order required disclosure; he answered “Non, je ne peux pas le garantir” when asked to provide such a guarantee. That was sworn testimony before a national legislative body and is a public record. The admission underscored the legal truth: technical and contractual guarantees can mitigate risk but cannot wholly negate the effect of a foreign court order on an American company.
That sworn admission has since been cited repeatedly in European debates and reports as a watershed moment: when executives face a courtroom or Senate setting under oath, legal realities supersede marketing assurances of “sovereign clouds.” The French Senate record is explicit that Microsoft France told lawmakers it had technical and contractual measures to reduce transfers, but could not promise absolute protection from legally compelled disclosures.
Gartner’s recent sovereign‑cloud forecast quantifies the market effect. The analyst firm now expects worldwide sovereign‑cloud IaaS spending to reach about $80 billion in 2026, a sharp increase from 2025, and it projects particularly strong growth in Europe — forecasting that Europe’s sovereign cloud spending will more than triple between 2025 and 2027, moving from roughly $6.9 billion in 2025 to more than $23 billion in 2027. Gartner’s Rene Buest highlights geopolitical drivers and the fact that governments and regulated industries will be the main buyers. Those numbers are material: they validate that the ICC‑type incidents are driving real procurement decisions and capital flows.
European organisations are responding in several concrete ways:
But there are hard limits:
The French Senate’s sworn admission by a senior Microsoft France executive — “I cannot guarantee” that data held in the EU will never be disclosed to US authorities — is the structural fact that will continue to shape procurement, architecture, and geopolitics in the months and years ahead. That legal reality is driving the surge in sovereign‑cloud spending that analysts quantify, and the ICC’s move to OpenDesk is an emblematic digital‑sovereignty response.
If you are a policy maker, procurement lead or C‑suite executive in Europe, treat this as a governance problem as much as a technology decision. The path forward is not to demonise individual vendors — many of which offer valuable services — but to design contracts, architectures and public strategies that recognise legal reality, distribute risk, and develop resilient, sovereign options where national security, justice, or democratic accountability demand it.
Source: theregister.com Microsoft asks UK Parliament to correct US sanction evidence
Background: what happened in Parliament — and what Microsoft later said
On 10 February 2026 Microsoft’s senior director for corporate, external and legal affairs, Hugh Milward, told the House of Commons Business and Trade Committee that the ICC — not Microsoft — decided to suspend access to the email account of ICC Chief Prosecutor Karim Khan amid US sanctions. Milward said the company “worked with the ICC throughout the whole period” and that “it was the ICC’s decision to terminate and respond to that sanction, not Microsoft’s.” (committees.parliament.uk)A follow-up exchange made the point sharper: when challenged that Microsoft must follow US sanctions, Milward replied that the ICC “has the ability to switch on and off their own users” and “makes the decision whether it continues to provide service to one of their employees in response to the US sanction.” That exchange — recorded in the committee transcript and the public video — became the focal point of reporting and public scrutiny. (committees.parliament.uk)
Following media attention, Microsoft told a reporter it had apologised to the Business and Trade Committee for an “inaccuracy” and asked for the hearing record to be corrected. Microsoft’s quoted comment said the company had been in contact with the ICC during the process that resulted in the disconnection of the sanctioned official, and insisted that “at no point did Microsoft cease or suspend its services to the ICC.” That statement was supplied to the press as Microsoft’s immediate comment. Readers should note this particular company comment has been reported to the press rather than published as a separate Microsoft press release; independent public confirmation of the correction request is limited to Microsoft’s statement to journalistsbecause it changes whether the exchange was a misremembered description of roles or an actively misleading assertion.
Why the exchange matters: sanctions, services and the ICC case
This is not an arcane contract dispute. The episode sits at the intersection of three realities:- The United States government issued an executive order that placed sanctions on ICC officials, including Karim Khan. That action carried real legal consequences: travel bans, asset freezes and restrictions on interactions with US persons and US-based services. The sanctions were framed as a response to ICC actions that implicate U.S. allies. Human-rights organisations and courts around the world quickly reacted to the political and legal implications of those measures.
- A number of routine, cloud‑hosted services are provided to international organisations by US companies; email and productivity suites are often part of formal support contracts that include service, support and operational practices. When an individual who is a customer of Microsoft services becomes subject to US sanctions, large, complex legal and operational questions arise: does a provider suspend only the individual account, the whole organisation, or is the action a matter for the customer organisation to implement under its own administrative controls? Those procedural choices are not merely technical — they are governed by contract language, local law, export controls, and often vigorous dialogues between supplier legal teams and customer stakeholders. The committee exchange highlighted how those roles can blur in public perception. (committees.parliament.uk)
- The ICC subsequently took steps to reduce dependency on Microsoft technologies and adopted an open‑source office and collaboration suite known as OpenDesk, offered by the German Centre for Digital Sovereignty (ZenDiS). That migration was explicitly linked in reporting to the disruption to the prosecutor’s email and to broader fears about reliance on US providers during a period of geopolitical friction. Multiple outlets in Europe reported that the ICC moved to OpenDesk in the months following the incident.
The legal backdrop: CLOUD Act, jurisdiction and sworn admissions
The most important legal context for this story is the US Clarifying Lawful Overseas Use of Data Act — the CLOUD Act — which gives US authorities a mechanism to require US-based providers to disclose data in their “possession, custody, or control,” even when the data are stored overseas. European policymakers have long argued that the CLOUD Act and other US statutes create an inescapable legal risk for European data held by US companies. The French Senate press record and hearing transcripts crystallised that risk.On 10 June 2025, Anton Carniaux, Microsoft France’s director of public and legal affairs, told a French Senate commission that he could not guarantee that French citizens’ data would never be handed to US authorities where a lawful order required disclosure; he answered “Non, je ne peux pas le garantir” when asked to provide such a guarantee. That was sworn testimony before a national legislative body and is a public record. The admission underscored the legal truth: technical and contractual guarantees can mitigate risk but cannot wholly negate the effect of a foreign court order on an American company.
That sworn admission has since been cited repeatedly in European debates and reports as a watershed moment: when executives face a courtroom or Senate setting under oath, legal realities supersede marketing assurances of “sovereign clouds.” The French Senate record is explicit that Microsoft France told lawmakers it had technical and contractual measures to reduce transfers, but could not promise absolute protection from legally compelled disclosures.
Market reaction and the sovereign cloud boom
The ICC incident and the French Senate testimony have become fuel for a market shift already gaining momentum. For procurement teams, the argument is simple: if contracts and technical measures cannot override foreign legal compulsion, then the only complete safeguard for certain classes of sensitive data is to use infrastructures and software that are not controlled by firms subject to the relevant extraterritorial law.Gartner’s recent sovereign‑cloud forecast quantifies the market effect. The analyst firm now expects worldwide sovereign‑cloud IaaS spending to reach about $80 billion in 2026, a sharp increase from 2025, and it projects particularly strong growth in Europe — forecasting that Europe’s sovereign cloud spending will more than triple between 2025 and 2027, moving from roughly $6.9 billion in 2025 to more than $23 billion in 2027. Gartner’s Rene Buest highlights geopolitical drivers and the fact that governments and regulated industries will be the main buyers. Those numbers are material: they validate that the ICC‑type incidents are driving real procurement decisions and capital flows.
European organisations are responding in several concrete ways:
- Procuring local or regional “sovereign” cloud offerings run by companies established under local law.
- Seeking open‑source alternatives where possible to reduce dependence on a single vendor stack (the ICC’s move to OpenDesk is one such visible example).
- Negotiating contract clauses such as customer‑controlled encryption keys, local boards for cloud operations, and legal commitments from vendors to contest extraterritorial orders in courts. Microsoft itself announced such measures under a “European Digital Resilience Commitment,” pledging to expand data‑centre presence, add EU governance features, and make contractual commitments to European governments — a PR and procurement offensive designed to blunt sovereignty concerns. But recall the limit: contractual promises cannot override an enforceable US court or executive order.
What the Parliamentary exchange actually proves — and what it does not
There are two separate observations to draw from the Milward exchange and Microsoft’s subsequent request to correct the record.- Procedural ambiguity: public statements from a company lawyer in a fast‑moving hearing can conflate operational control with administrative choice. The committee transcript shows Milward describing discussions between Microsoft, the ICC and the US government and emphasising that the ICC made the ultimate decision to terminate the sanctioned individual’s access. That is a specific factual claim about who physically and administratively disconnected the account. The ICC and other public reporting indicate the prosecutor’s account was indeed disabled; whether that action was implemented directly by Microsoft on legal advice, by the ICC under pressure, or via another mechanism is a technical question that lives in contract logs, support tickets and legal opinions. The committee record gives Microsoft’s public version; Microsoft’s later correction request acknowledges an “inaccuracy” in the way the situation was presented to MPs. (committees.parliament.uk)
- The systemic point survives any factual correction: even if Microsoft did not directly flip the switch on ICC inboxes, the underlying problem — US extraterritorial sanctions, and the legal obligations of US providers — remains. The French Senate’s sworn testimony from Microsoft France makes that legal reality plain: Microsoft cannot guarantee that EU‑resident data would be immune to lawful US requests. That admission is both independent of the Parliament exchange and far more consequential for policy makers and procurement teams.
Strengths, weaknesses and risks of the current vendor responses
The market is reacting quickly, and vendors — including Microsoft, AWS and Google — have deployed a series of marketing and contractual moves designed to reassure customers. They’re not wrong to try: the hyperscalers possess unmatched technical scale, operations expertise, and economies of scale that deliver value for many workloads. Microsoft’s April 2025 European commitments — expanded datacentre capacity, a European governance board and a promise to include a European Digital Resilience Commitment in contracts — were explicitly designed to reassure governments and enterprise procurement teams.But there are hard limits:
- Strengths of hyperscalers and vendor commitments
- Massive investment capacity and rapid ability to scale infrastructure.
- Deep portfolio of managed services, security tooling and compliance attestations.
- Contractual willingness to litigate and defend customers’ interests (as vendors have asserted publicly).
- Weaknesses and systemic risks
- Legal jurisdiction: the CLOUD Act and underlying US obligations cannot be fully disclaimed by contracts. A valid court order will carry legal force in the United States.
- Perception and political risk: even an administratively correct explanation that “the customer disabled the account” will not assuage public or political concerns if the practical effect is that a politically sensitive user lost access after sanctions were announced.
- Lock‑in and procurement dependency: shifting large institutions away from a dominant provider is complex and expensive; interim mitigation can be incomplete and still leave critical exposure.
What governments and enterprises should do now: practical steps
European public bodies and privacy‑sensitive enterprises must treat this moment as an operational risk problem, legal problem, and procurement problem at once. The following are practical — and sequential — steps organisations should take.- Inventory and classify: perform an immediate data‑sensitivity inventory to identify workloads that would be unacceptable to place under any conceivable extraterritorial risk.
- Apply risk tiers: for Tier‑1 (highest sensitivity), prefer providers not subject to the foreign legal regime in question; for Tier‑2, enforce strict contractual, technical and jurisdictional controls (customer‑managed keys, local processing, on‑prem options); for Tier‑3, evaluate economic trade‑offs.
- Contractual hardening: demand explicit contractual commitments around notice, transparency reporting, and vendor obligations to contest extraterritorial orders. Insist on operational proof points (local management boards, dedicated support and auditability).
- Technical barriers: use customer‑controlled encryption keys (bring‑your‑own‑keys) and split‑key architectures where feasible; implement strong local identity and admin controls so a customer organisation can disable accounts without vendor intervention.
- Policy formation: national governments should define procurement standards and funding to seed independent, certified sovereign cloud options where market gaps exist.
- Scenario rehearsals: run tabletop exercises for sanctions, judicial orders and supplier disruptions to ensure operational resilience and clarity on roles.
What this means for the sovereign cloud market — winners and losers
- Winners
- European cloud providers and open‑source stacks that can credibly offer services free from US legttract high‑sensitivity workloads.
- Specialist vendors offering migration tooling, data‑portability services, and hybrid solutions will prosper.
- Governments that fund or seed sovereign infrastructure will gain strategic independence and a domestic technology industry uplift.
- Losers
- Any single global vendor that relies purely on marketing to reassure customers without demonstrable legal and technical separation risks losing high‑value public contracts.
- Organisations that keep the status quo without contractual hardening may face operational exposure and reputational damage if disruptions recur.
Caveats and open questions
- Attribution and facts: the core parliamentary correction request concerns a factual detail — who physically severed the account. That is resolvable through logs and contractual records; transparency from vendors and customers would help close the loop. The Microsoft‑ICC interaction should be clarified in an audited statement if public trust is to be restored. Reporting indicates Microsoft has asked for the record to be corrected, but the mechanism for that correction (a formal updated transcript, a committee note, or an internal correction) should be documented and visible.
- Unverifiable claims: a number of media reports and activist briefings have alleged direct linkage between US pressure and vendor shutdowns. While many such reports are credible, some remain based on sourced but not publicly verifiable claims. Where such claims are used in procurement or policy decisions, organisations should demand traceable evidence. Readers should treat press reports that lack primary documentation with caution and prefer official transcripts, sworn testimony, and vendor statements. The committee transcript and the French Senate record are primary public documents that are unambiguous on the legal realities. (committees.parliament.uk)
- Legal avenues: vendors may promise to “vigorously contest” orders in court, but litigation is slow and outcomes are uncertain. A legal victory in one jurisdiction does not change the existence of a lawful demand in another. Policies must therefore be pragmatic, not rhetorical.
Conclusion: a systemic moment, not merely a disputed line in Hansard
The Milward exchange and Microsoft’s subsequent request to correct the record are important because political scrutiny matters: companies must be precise when testifying to lawmakers. But the wider, harder lesson is systemic and remains unchanged by a factual correction: jurisdictions and laws create real operational constraints on global cloud services.The French Senate’s sworn admission by a senior Microsoft France executive — “I cannot guarantee” that data held in the EU will never be disclosed to US authorities — is the structural fact that will continue to shape procurement, architecture, and geopolitics in the months and years ahead. That legal reality is driving the surge in sovereign‑cloud spending that analysts quantify, and the ICC’s move to OpenDesk is an emblematic digital‑sovereignty response.
If you are a policy maker, procurement lead or C‑suite executive in Europe, treat this as a governance problem as much as a technology decision. The path forward is not to demonise individual vendors — many of which offer valuable services — but to design contracts, architectures and public strategies that recognise legal reality, distribute risk, and develop resilient, sovereign options where national security, justice, or democratic accountability demand it.
Source: theregister.com Microsoft asks UK Parliament to correct US sanction evidence
