NIS2 and GDPR with Microsoft 365 – The Compliance Paradox of European Companies

European regulators are tightening the screws in 2026. NIS2 binds roughly 29,000 companies in Germany alone to strict information-security duties. GDPR punishes data breaches with up to 4 % of global annual turnover. The German BSI (Federal Office for Information Security) requires demonstrable control over every step of data processing through its IT-Grundschutz catalogue and the C5 cloud criteria.

At the same time, the entire infrastructure of most companies runs on Microsoft 365 – a closed-source platform of a US corporation that can be compelled at any time, under the CLOUD Act, to hand over customer data to US authorities.

This is not a compliance risk. This is a systemic self-contradiction. And in 2026, it is breaking apart.

The three pillars of compliance pressure in 2026

1. NIS2 – fully effective from March 2026

The NIS2 Directive (Network and Information Security Directive 2) has been in force in the EU since October 2024. Germany passed the NIS2 Implementation Act (NIS2UmsuCG). About 29,000 companies in energy, transport, banking, health, water, digital infrastructure, public administration, manufacturing and many other sectors are affected – plus their entire supply chain.

Core obligations:

• Risk management for information security (Art. 21 NIS2)
• Supply-chain security – you are liable for the security gaps of your cloud providers
• Notification duty: initial report within 24 hours, full report within 72 hours
• Management liability – board members and CEOs are personally liable
• Fines up to €10m or 2 % of global annual turnover

2. GDPR – Schrems III on the way

The GDPR has been sharp since 2018. Its interpretation hardens further in 2026: data-protection authorities in Berlin, North Rhine-Westphalia, Hesse and Baden-Württemberg have banned or advised against Microsoft 365 in schools and public institutions. Max Schrems' third complaint against the EU-US Data Privacy Framework (DPF) is pending – most observers expect a ruling in favour of the plaintiffs.

3. BSI IT-Grundschutz and C5 – demonstrable control required

The BSI demands, through the IT-Grundschutz Compendium and the C5 cloud catalogue, demonstrable control over:

• Key management – who holds the cryptographic keys?
• Data centre location – in the EU/EEA, free of third-country exposure?
• Third-party access – including by foreign authorities?
• Full auditability – including source code for critical components?

For Microsoft 365 the honest answer to every one of these questions is: No, we cannot guarantee that.

The barn door: Microsoft 365 under the CLOUD Act

The US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) obliges every US corporation to disclose data worldwide to US authorities – regardless of where the servers are located. Frankfurt, Dublin, Amsterdam – irrelevant. If Microsoft technically and contractually controls the data, Microsoft must hand it over.

Microsoft confirmed this on oath before the French Senate in 2025: there is no guarantee that data inside the "EU Data Boundary" will never reach US authorities. The second Trump administration further hollowed out judicial review of CLOUD Act requests through executive order in 2025.

For any company using Microsoft 365, this means:

1. Your emails, Teams chats, OneDrive files, SharePoint documents are theoretically accessible to US authorities at any time.
2. You will not know when a request arrives – gag orders forbid notifying the data subjects.
3. You cannot prevent it because Microsoft holds the keys.

The paradox in one table

Anyone claiming to be simultaneously NIS2-compliant and GDPR-compliant on Microsoft 365 is lying to themselves. Regulators know it. Insurers know it. And in the event of a claim, a court will know it.

Common questions on Microsoft 365 compliance

Does Microsoft's EU Data Boundary protect against the CLOUD Act?

No. The EU Data Boundary stores data in EU data centres. It changes nothing about the CLOUD Act. Microsoft Corp. (USA) remains legally responsible. Microsoft confirmed this on oath before the French Senate in 2025.

Are Standard Contractual Clauses (SCCs) enough for lawful Microsoft 365 use?

No. SCCs were declared valid by the CJEU in Schrems II only when the data exporter takes additional safeguards that effectively prevent US authority access. For Microsoft 365 this is technically impossible – the EDPB made this explicit in its 01/2020 Recommendations.

Is client-side encryption (BYOK / Customer Lockbox) sufficient for GDPR?

No. With BYOK and Customer Lockbox Microsoft still retains access, because indexing, search, anti-spam and Copilot need decrypted access. True end-to-end encryption does not exist in Microsoft 365 – Copilot would not work if it did.

Does the NIS2 Directive also apply to small companies?

NIS2 directly covers all medium and large enterprises in the 18 sectors. But small companies are also covered if they are part of the supply chain of NIS2-regulated companies. Your large customer will contractually push the obligations down to you – if a NIS2 annex has not arrived yet, it will.

What fines apply to NIS2 violations?

Up to €10m or 2 % of worldwide annual turnover, whichever is higher. Additionally, management is personally liable under NIS2.

How to migrate NIS2- and GDPR-compliantly – the compliance migration path

Step 1: Data-flow audit (immediate, 2–4 weeks) {#step-1}

• Which personal / business-critical data flows into which US services?
• Who in your supply chain is subject to NIS2?
• Which data categories are particularly sensitive (HR, finance, R&D, health)?

Step 2: Risk analysis per BSI Standard 200-3 (4–8 weeks) {#step-2}

• Assess every data flow against NIS2 Art. 21, GDPR Art. 32, BSI Grundschutz modules
• Document for the supervisory authorities – this is your liability shield

Step 3: Migration plan to sovereign open-source infrastructure {#step-3}

Concrete replacements we implement at europioneer for SMEs and public bodies:

All hosted at Hetzner, OVHcloud, Scaleway or IONOS – or on-premise. Part of the EUROSTACK for digital sovereignty. Full key sovereignty. Auditable source code. No US jurisdiction.

Step 4: Phased migration without productivity loss (8–16 weeks) {#step-4}

We migrate in waves per department, typically 8–16 weeks for an SME of 20–100 employees. Email addresses stay, data is taken over 1:1, employees are trained. Fixed price, documented compliance trail for GDPR/NIS2/BSI audits included. A detailed Microsoft 365 vs. open-source cost comparison shows why the migration usually pays back within 12 months.

Doing nothing costs twice

The cost of migration in 2026 is calculable. The cost of inaction is not:

• GDPR fine post-Schrems III: up to 4 % of global turnover
• NIS2 fine: up to €10m or 2 % of global turnover
• Personal management liability under NIS2
• GDPR Art. 82 claims from affected individuals
• Reputation damage when an incident must be disclosed
• Insurance exclusion: cyber insurers will not pay for wilful compliance breach

And the emergency premium for a migration after a Schrems III ruling is in our experience 3 to 5 times the cost of a planned migration.

Conclusion: Sovereignty is not a luxury, it is compliance

Through NIS2, GDPR and BSI Grundschutz, the EU demands from companies exactly what Microsoft 365 structurally cannot deliver: control, auditability, protection from third-country access.

Claiming that both work together is compliance theatre. The question is no longer whether you migrate – it is whether you plan it or whether the first fine forces you to.

We have standardised the migration path. Sovereign EU infrastructure, transparent fixed price, GDPR / NIS2 / BSI compliance documentation included.

Book a free compliance consultation →

Related posts:

• CLOUD Act 2026 – Why US cloud is no longer legally tenable
• Schrems III – What the CJEU 2026/2027 ruling will mean
• EUROSTACK – Europe's digital sovereignty