[{"data":1,"prerenderedAt":934},["ShallowReactive",2],{"navigation-docs_en":3,"/en/blog/nis2-gdpr-microsoft-paradox-posts_en":51,"/en/blog/nis2-gdpr-microsoft-paradox-surround-posts_en":925},[4],{"title":5,"path":6,"stem":7,"children":8,"page":25},"En","/en","en",[9],{"title":10,"path":11,"stem":12,"children":13,"page":25},"Docs","/en/docs","en/1.docs",[14,26],{"title":15,"path":16,"stem":17,"children":18,"icon":25},"Getting Started","/en/docs/getting-started","en/1.docs/1.getting-started/1.index",[19,21],{"title":20,"path":16,"stem":17,"children":-1},"Introduction",{"title":22,"path":23,"stem":24,"children":-1},"Migration Roadmap","/en/docs/getting-started/migration-fahrplan","en/1.docs/1.getting-started/2.migration-fahrplan",false,{"title":27,"path":28,"stem":29,"children":30,"page":25},"Technologies","/en/docs/technologies","en/1.docs/2.technologies",[31,35,39,43,47],{"title":32,"path":33,"stem":34,"children":-1},"Nextcloud","/en/docs/technologies/nextcloud","en/1.docs/2.technologies/1.nextcloud",{"title":36,"path":37,"stem":38,"children":-1},"Matrix / Element","/en/docs/technologies/matrix","en/1.docs/2.technologies/2.matrix",{"title":40,"path":41,"stem":42,"children":-1},"ONLYOFFICE","/en/docs/technologies/onlyoffice","en/1.docs/2.technologies/3.onlyoffice",{"title":44,"path":45,"stem":46,"children":-1},"Ubuntu Linux","/en/docs/technologies/ubuntu","en/1.docs/2.technologies/4.ubuntu",{"title":48,"path":49,"stem":50,"children":-1},"Keycloak","/en/docs/technologies/keycloak","en/1.docs/2.technologies/5.keycloak",{"id":52,"title":53,"authors":54,"badge":60,"body":62,"date":883,"description":884,"extension":885,"faq":886,"howto":900,"image":917,"meta":919,"navigation":920,"path":921,"seo":922,"stem":923,"__hash__":924},"posts_en/en/3.blog/10.nis2-gdpr-microsoft-paradox.md","NIS2 and GDPR with Microsoft 365 – The Compliance Paradox of European Companies",[55],{"name":56,"to":57,"avatar":58},"europioneer Team","https://europioneer.io",{"src":59},"/favicon.svg",{"label":61},"Compliance",{"type":63,"value":64,"toc":856},"minimark",[65,69,104,122,129,134,139,157,160,208,212,234,238,251,277,283,287,301,312,315,346,350,426,441,445,449,460,464,483,487,498,502,521,525,536,540,544,555,559,570,574,582,682,707,711,733,737,744,782,797,801,808,822,825,831,834,839],[66,67,53],"h1",{"id":68},"nis2-and-gdpr-with-microsoft-365-the-compliance-paradox-of-european-companies",[70,71,72,73,77,78,81,82,85,86,89,90,93,94,103],"p",{},"European regulators are tightening the screws in 2026. ",[74,75,76],"strong",{},"NIS2"," binds roughly ",[74,79,80],{},"29,000 companies in Germany alone"," to strict information-security duties. ",[74,83,84],{},"GDPR"," punishes data breaches with up to ",[74,87,88],{},"4 % of global annual turnover",". The German ",[74,91,92],{},"BSI"," (Federal Office for Information Security) requires demonstrable control over every step of data processing through its ",[95,96,98,99,102],"a",{"href":97},"/en/blog/bsi-it-grundschutz-microsoft-365","IT-Grundschutz catalogue and the ",[74,100,101],{},"C5"," cloud criteria",".",[70,105,106,107,110,111,114,115,121],{},"At the same time, the entire infrastructure of most companies runs on ",[74,108,109],{},"Microsoft 365"," – a ",[74,112,113],{},"closed-source platform of a US corporation"," that can be compelled at any time, under the ",[95,116,118],{"href":117},"/en/blog/cloud-act-2026",[74,119,120],{},"CLOUD Act",", to hand over customer data to US authorities.",[70,123,124,125,128],{},"This is not a compliance risk. This is a ",[74,126,127],{},"systemic self-contradiction",". And in 2026, it is breaking apart.",[130,131,133],"h2",{"id":132},"the-three-pillars-of-compliance-pressure-in-2026","The three pillars of compliance pressure in 2026",[135,136,138],"h3",{"id":137},"_1-nis2-fully-effective-from-march-2026","1. NIS2 – fully effective from March 2026",[70,140,141,142,145,146,149,150,153,154,103],{},"The ",[74,143,144],{},"NIS2 Directive (Network and Information Security Directive 2)"," has been in force in the EU since October 2024. Germany passed the ",[74,147,148],{},"NIS2 Implementation Act (NIS2UmsuCG)",". About ",[74,151,152],{},"29,000 companies"," in energy, transport, banking, health, water, digital infrastructure, public administration, manufacturing and many other sectors are affected – plus their ",[74,155,156],{},"entire supply chain",[70,158,159],{},"Core obligations:",[161,162,163,170,176,189,199],"ul",{},[164,165,166,169],"li",{},[74,167,168],{},"Risk management"," for information security (Art. 21 NIS2)",[164,171,172,175],{},[74,173,174],{},"Supply-chain security"," – you are liable for the security gaps of your cloud providers",[164,177,178,181,182,185,186],{},[74,179,180],{},"Notification duty",": initial report within ",[74,183,184],{},"24 hours",", full report within ",[74,187,188],{},"72 hours",[164,190,191,194,195,198],{},[74,192,193],{},"Management liability"," – board members and CEOs are ",[74,196,197],{},"personally"," liable",[164,200,201,204,205],{},[74,202,203],{},"Fines"," up to ",[74,206,207],{},"€10m or 2 % of global annual turnover",[135,209,211],{"id":210},"_2-gdpr-schrems-iii-on-the-way","2. GDPR – Schrems III on the way",[70,213,141,214,216,217,220,221,225,226,233],{},[74,215,84],{}," has been sharp since 2018. Its interpretation hardens further in 2026: data-protection authorities in Berlin, North Rhine-Westphalia, Hesse and Baden-Württemberg have ",[74,218,219],{},"banned or advised against"," ",[95,222,224],{"href":223},"/en/blog/microsoft-365-schools","Microsoft 365 in schools and public institutions",". Max Schrems' ",[95,227,229,230],{"href":228},"/en/blog/schrems-iii-cjeu-ruling","third complaint against the ",[74,231,232],{},"EU-US Data Privacy Framework (DPF)"," is pending – most observers expect a ruling in favour of the plaintiffs.",[135,235,237],{"id":236},"_3-bsi-it-grundschutz-and-c5-demonstrable-control-required","3. BSI IT-Grundschutz and C5 – demonstrable control required",[70,239,141,240,242,243,246,247,250],{},[74,241,92],{}," demands, through the ",[74,244,245],{},"IT-Grundschutz Compendium"," and the ",[74,248,249],{},"C5 cloud catalogue",", demonstrable control over:",[161,252,253,259,265,271],{},[164,254,255,258],{},[74,256,257],{},"Key management"," – who holds the cryptographic keys?",[164,260,261,264],{},[74,262,263],{},"Data centre location"," – in the EU/EEA, free of third-country exposure?",[164,266,267,270],{},[74,268,269],{},"Third-party access"," – including by foreign authorities?",[164,272,273,276],{},[74,274,275],{},"Full auditability"," – including source code for critical components?",[70,278,279,280],{},"For Microsoft 365 the honest answer to every one of these questions is: ",[74,281,282],{},"No, we cannot guarantee that.",[130,284,286],{"id":285},"the-barn-door-microsoft-365-under-the-cloud-act","The barn door: Microsoft 365 under the CLOUD Act",[70,288,141,289,292,293,296,297,300],{},[74,290,291],{},"US CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018)"," obliges every US corporation to disclose data ",[74,294,295],{},"worldwide"," to US authorities – ",[74,298,299],{},"regardless of where the servers are located",". Frankfurt, Dublin, Amsterdam – irrelevant. If Microsoft technically and contractually controls the data, Microsoft must hand it over.",[70,302,303,304,307,308,311],{},"Microsoft confirmed this on oath before the ",[74,305,306],{},"French Senate"," in 2025: ",[74,309,310],{},"there is no guarantee that data inside the \"EU Data Boundary\" will never reach US authorities",". The second Trump administration further hollowed out judicial review of CLOUD Act requests through executive order in 2025.",[70,313,314],{},"For any company using Microsoft 365, this means:",[316,317,318,334,340],"ol",{},[164,319,320,323,324,323,327,323,330,333],{},[74,321,322],{},"Your emails",", ",[74,325,326],{},"Teams chats",[74,328,329],{},"OneDrive files",[74,331,332],{},"SharePoint documents"," are theoretically accessible to US authorities at any time.",[164,335,336,339],{},[74,337,338],{},"You will not know"," when a request arrives – gag orders forbid notifying the data subjects.",[164,341,342,345],{},[74,343,344],{},"You cannot prevent it"," because Microsoft holds the keys.",[130,347,349],{"id":348},"the-paradox-in-one-table","The paradox in one table",[351,352,353,366],"table",{},[354,355,356],"thead",{},[357,358,359,363],"tr",{},[360,361,362],"th",{},"Compliance requirement",[360,364,365],{},"Reality with Microsoft 365",[367,368,369,378,386,394,402,410,418],"tbody",{},[357,370,371,375],{},[372,373,374],"td",{},"NIS2 Art. 21: supply-chain control",[372,376,377],{},"Microsoft = single point of failure for >90 % of the German economy",[357,379,380,383],{},[372,381,382],{},"NIS2: 24-hour incident notification",[372,384,385],{},"Microsoft itself sometimes discloses breaches months later (see Midnight Blizzard 2024)",[357,387,388,391],{},[372,389,390],{},"GDPR Art. 44: third-country transfer with safeguards",[372,392,393],{},"CLOUD Act overrides any contractual safeguard",[357,395,396,399],{},[372,397,398],{},"GDPR Art. 32: state of the art",[372,400,401],{},"Closed-source code = no independent verification possible",[357,403,404,407],{},[372,405,406],{},"BSI IT-Grundschutz APP.5.2: key sovereignty",[372,408,409],{},"Microsoft holds the keys, not the customer",[357,411,412,415],{},[372,413,414],{},"BSI C5: location control",[372,416,417],{},"\"EU Data Boundary\" without CLOUD Act protection is worthless",[357,419,420,423],{},[372,421,422],{},"BSI: auditability",[372,424,425],{},"Source code is not inspectable, audits only through MS partners",[70,427,428,429,432,433,436,437,440],{},"Anyone claiming to be ",[74,430,431],{},"simultaneously"," NIS2-compliant ",[74,434,435],{},"and"," GDPR-compliant on Microsoft 365 is ",[74,438,439],{},"lying to themselves",". Regulators know it. Insurers know it. And in the event of a claim, a court will know it.",[130,442,444],{"id":443},"common-questions-on-microsoft-365-compliance","Common questions on Microsoft 365 compliance",[135,446,448],{"id":447},"does-microsofts-eu-data-boundary-protect-against-the-cloud-act","Does Microsoft's EU Data Boundary protect against the CLOUD Act?",[70,450,451,452,455,456,459],{},"No. The ",[74,453,454],{},"EU Data Boundary"," stores data in EU data centres. ",[74,457,458],{},"It changes nothing about the CLOUD Act."," Microsoft Corp. (USA) remains legally responsible. Microsoft confirmed this on oath before the French Senate in 2025.",[135,461,463],{"id":462},"are-standard-contractual-clauses-sccs-enough-for-lawful-microsoft-365-use","Are Standard Contractual Clauses (SCCs) enough for lawful Microsoft 365 use?",[70,465,466,467,470,471,474,475,478,479,482],{},"No. ",[74,468,469],{},"SCCs"," were declared valid by the CJEU in Schrems II only when the data exporter takes ",[74,472,473],{},"additional safeguards"," that ",[74,476,477],{},"effectively prevent"," US authority access. For Microsoft 365 this is ",[74,480,481],{},"technically impossible"," – the EDPB made this explicit in its 01/2020 Recommendations.",[135,484,486],{"id":485},"is-client-side-encryption-byok-customer-lockbox-sufficient-for-gdpr","Is client-side encryption (BYOK / Customer Lockbox) sufficient for GDPR?",[70,488,489,490,493,494,497],{},"No. With BYOK and Customer Lockbox Microsoft ",[74,491,492],{},"still retains access",", because indexing, search, anti-spam and Copilot need decrypted access. ",[74,495,496],{},"True end-to-end encryption does not exist in Microsoft 365"," – Copilot would not work if it did.",[135,499,501],{"id":500},"does-the-nis2-directive-also-apply-to-small-companies","Does the NIS2 Directive also apply to small companies?",[70,503,504,505,508,509,512,513,516,517,520],{},"NIS2 directly covers all ",[74,506,507],{},"medium and large enterprises"," in the ",[74,510,511],{},"18 sectors",". But ",[74,514,515],{},"small companies are also covered"," if they are part of the ",[74,518,519],{},"supply chain"," of NIS2-regulated companies. Your large customer will contractually push the obligations down to you – if a NIS2 annex has not arrived yet, it will.",[135,522,524],{"id":523},"what-fines-apply-to-nis2-violations","What fines apply to NIS2 violations?",[70,526,527,528,531,532,535],{},"Up to ",[74,529,530],{},"€10m or 2 % of worldwide annual turnover",", whichever is higher. Additionally, management is ",[74,533,534],{},"personally liable"," under NIS2.",[130,537,539],{"id":538},"how-to-migrate-nis2-and-gdpr-compliantly-the-compliance-migration-path","How to migrate NIS2- and GDPR-compliantly – the compliance migration path",[135,541,543],{"id":542},"step-1-data-flow-audit-immediate-24-weeks-step-1","Step 1: Data-flow audit (immediate, 2–4 weeks) {#step-1}",[161,545,546,549,552],{},[164,547,548],{},"Which personal / business-critical data flows into which US services?",[164,550,551],{},"Who in your supply chain is subject to NIS2?",[164,553,554],{},"Which data categories are particularly sensitive (HR, finance, R&D, health)?",[135,556,558],{"id":557},"step-2-risk-analysis-per-bsi-standard-200-3-48-weeks-step-2","Step 2: Risk analysis per BSI Standard 200-3 (4–8 weeks) {#step-2}",[161,560,561,564],{},[164,562,563],{},"Assess every data flow against NIS2 Art. 21, GDPR Art. 32, BSI Grundschutz modules",[164,565,566,567],{},"Document for the supervisory authorities – this is your ",[74,568,569],{},"liability shield",[135,571,573],{"id":572},"step-3-migration-plan-to-sovereign-open-source-infrastructure-step-3","Step 3: Migration plan to sovereign open-source infrastructure {#step-3}",[70,575,576,577,581],{},"Concrete replacements we implement at ",[95,578,580],{"href":579},"/en/","europioneer"," for SMEs and public bodies:",[351,583,584,594],{},[354,585,586],{},[357,587,588,591],{},[360,589,590],{},"Microsoft component",[360,592,593],{},"Sovereign open-source alternative",[367,595,596,604,615,626,634,642,650,658,666,674],{},[357,597,598,601],{},[372,599,600],{},"Outlook + Exchange",[372,602,603],{},"Mailcow / Stalwart Mail + SOGo",[357,605,606,609],{},[372,607,608],{},"Teams (chat & video)",[372,610,611],{},[95,612,614],{"href":613},"/en/blog/microsoft-teams-alternative","Element / Matrix + Element Call",[357,616,617,620],{},[372,618,619],{},"OneDrive / SharePoint",[372,621,622],{},[95,623,625],{"href":624},"/en/blog/nextcloud-vs-onedrive-sharepoint","Nextcloud Hub",[357,627,628,631],{},[372,629,630],{},"Word / Excel / PowerPoint",[372,632,633],{},"ONLYOFFICE / Collabora",[357,635,636,639],{},[372,637,638],{},"OneNote",[372,640,641],{},"Nextcloud Notes / Joplin Server",[357,643,644,647],{},[372,645,646],{},"Active Directory",[372,648,649],{},"Keycloak + Univention Corporate Server",[357,651,652,655],{},[372,653,654],{},"LastPass / Authenticator",[372,656,657],{},"Vaultwarden",[357,659,660,663],{},[372,661,662],{},"Power Automate",[372,664,665],{},"n8n (self-hosted)",[357,667,668,671],{},[372,669,670],{},"Microsoft Defender",[372,672,673],{},"Wazuh + Suricata + ClamAV",[357,675,676,679],{},[372,677,678],{},"Azure",[372,680,681],{},"OpenStack / Proxmox on EU hardware",[70,683,684,685,323,688,323,691,694,695,698,699,703,704],{},"All hosted at ",[74,686,687],{},"Hetzner",[74,689,690],{},"OVHcloud",[74,692,693],{},"Scaleway"," or ",[74,696,697],{},"IONOS"," – or on-premise. Part of the ",[95,700,702],{"href":701},"/en/blog/eurostack-digital-sovereignty","EUROSTACK for digital sovereignty",". ",[74,705,706],{},"Full key sovereignty. Auditable source code. No US jurisdiction.",[135,708,710],{"id":709},"step-4-phased-migration-without-productivity-loss-816-weeks-step-4","Step 4: Phased migration without productivity loss (8–16 weeks) {#step-4}",[70,712,713,714,717,718,323,721,323,724,727,728,732],{},"We migrate in ",[74,715,716],{},"waves per department",", typically 8–16 weeks for an SME of 20–100 employees. ",[74,719,720],{},"Email addresses stay",[74,722,723],{},"data is taken over 1:1",[74,725,726],{},"employees are trained",". Fixed price, documented compliance trail for GDPR/NIS2/BSI audits included. A detailed ",[95,729,731],{"href":730},"/en/blog/microsoft-vs-opensource","Microsoft 365 vs. open-source cost comparison"," shows why the migration usually pays back within 12 months.",[130,734,736],{"id":735},"doing-nothing-costs-twice","Doing nothing costs twice",[70,738,739,740,743],{},"The cost of migration in 2026 is calculable. The cost of ",[74,741,742],{},"inaction"," is not:",[161,745,746,752,758,764,770,776],{},[164,747,748,751],{},[74,749,750],{},"GDPR fine"," post-Schrems III: up to 4 % of global turnover",[164,753,754,757],{},[74,755,756],{},"NIS2 fine",": up to €10m or 2 % of global turnover",[164,759,760,763],{},[74,761,762],{},"Personal management liability"," under NIS2",[164,765,766,769],{},[74,767,768],{},"GDPR Art. 82 claims"," from affected individuals",[164,771,772,775],{},[74,773,774],{},"Reputation damage"," when an incident must be disclosed",[164,777,778,781],{},[74,779,780],{},"Insurance exclusion",": cyber insurers will not pay for wilful compliance breach",[70,783,784,785,788,789,792,793,796],{},"And the ",[74,786,787],{},"emergency premium"," for a migration ",[74,790,791],{},"after"," a Schrems III ruling is in our experience ",[74,794,795],{},"3 to 5 times"," the cost of a planned migration.",[130,798,800],{"id":799},"conclusion-sovereignty-is-not-a-luxury-it-is-compliance","Conclusion: Sovereignty is not a luxury, it is compliance",[70,802,803,804,807],{},"Through NIS2, GDPR and BSI Grundschutz, the EU demands from companies ",[74,805,806],{},"exactly what Microsoft 365 structurally cannot deliver",": control, auditability, protection from third-country access.",[70,809,810,811,814,815,818,819,103],{},"Claiming that both work together is ",[74,812,813],{},"compliance theatre",". The question is no longer ",[74,816,817],{},"whether"," you migrate – it is ",[74,820,821],{},"whether you plan it or whether the first fine forces you to",[70,823,824],{},"We have standardised the migration path. Sovereign EU infrastructure, transparent fixed price, GDPR / NIS2 / BSI compliance documentation included.",[70,826,827],{},[95,828,830],{"href":829},"/en/contact?subject=NIS2-Migration","Book a free compliance consultation →",[832,833],"hr",{},[70,835,836],{},[74,837,838],{},"Related posts:",[161,840,841,846,851],{},[164,842,843],{},[95,844,845],{"href":117},"CLOUD Act 2026 – Why US cloud is no longer legally tenable",[164,847,848],{},[95,849,850],{"href":228},"Schrems III – What the CJEU 2026/2027 ruling will mean",[164,852,853],{},[95,854,855],{"href":701},"EUROSTACK – Europe's digital sovereignty",{"title":857,"searchDepth":858,"depth":858,"links":859},"",2,[860,866,867,868,875,881,882],{"id":132,"depth":858,"text":133,"children":861},[862,864,865],{"id":137,"depth":863,"text":138},3,{"id":210,"depth":863,"text":211},{"id":236,"depth":863,"text":237},{"id":285,"depth":858,"text":286},{"id":348,"depth":858,"text":349},{"id":443,"depth":858,"text":444,"children":869},[870,871,872,873,874],{"id":447,"depth":863,"text":448},{"id":462,"depth":863,"text":463},{"id":485,"depth":863,"text":486},{"id":500,"depth":863,"text":501},{"id":523,"depth":863,"text":524},{"id":538,"depth":858,"text":539,"children":876},[877,878,879,880],{"id":542,"depth":863,"text":543},{"id":557,"depth":863,"text":558},{"id":572,"depth":863,"text":573},{"id":709,"depth":863,"text":710},{"id":735,"depth":858,"text":736},{"id":799,"depth":858,"text":800},"2026-05-20T00:00:00.000Z","NIS2, GDPR and BSI demand strict data control. At the same time 90% of companies run on US cloud, wide open through the CLOUD Act. Why the compliance illusion collapses in 2026 – and what to do now.","md",[887,889,891,893,895,897],{"q":501,"a":888},"NIS2 directly covers medium and large enterprises in 18 sectors. Small companies are bound through the supply chain – their NIS2-regulated customers pass the obligations down contractually.",{"q":448,"a":890},"No. The EU Data Boundary stores data in EU data centres but does not change the fact that Microsoft Corp. (USA) is legally responsible and subject to the CLOUD Act. Microsoft confirmed this on oath before the French Senate in 2025.",{"q":463,"a":892},"No. The CJEU made clear in Schrems II that SCCs are valid only with additional safeguards that effectively prevent US authority access. For Microsoft 365 this is technically impossible – the EDPB made this explicit in Recommendations 01/2020.",{"q":486,"a":894},"No. Microsoft needs decrypted access for indexing, search, anti-spam and Copilot. True end-to-end encryption does not exist in Microsoft 365 – Copilot would not work if it did.",{"q":524,"a":896},"Up to €10m or 2 % of worldwide annual turnover, whichever is higher. Additionally management is personally liable under NIS2.",{"q":898,"a":899},"How long does a migration from Microsoft 365 to sovereign open-source infrastructure take?","For an SME of 20–100 employees, typically 8–16 weeks in phased waves per department. Email addresses are preserved, data is migrated 1:1, employees are trained.",{"name":901,"description":902,"totalTime":903,"steps":904},"NIS2- and GDPR-compliant migration from Microsoft 365 to sovereign open-source infrastructure","Four-step migration path along BSI methodology – from data-flow audit through risk analysis to documented phased migration without productivity loss.","P16W",[905,908,911,914],{"name":906,"text":907},"Data-flow audit","Identify which personal and business-critical data flows into which US services, determine your NIS2 position in the supply chain, mark sensitive categories (HR, finance, R&D, health). Duration 2–4 weeks.",{"name":909,"text":910},"Risk analysis per BSI Standard 200-3","Assess every data flow against NIS2 Art. 21, GDPR Art. 32 and the applicable BSI Grundschutz modules and document the result. The documentation is your liability shield in the event of supervisory review. Duration 4–8 weeks.",{"name":912,"text":913},"Migration plan to sovereign open-source stack components","Define concrete 1:1 replacements — Mailcow/Stalwart for Exchange Online, Element/Matrix for Teams, Nextcloud + ONLYOFFICE for OneDrive/SharePoint/Office, Keycloak for Entra ID, Vaultwarden for LastPass. Hosting at Hetzner, OVHcloud, Scaleway, IONOS or on-premise.",{"name":915,"text":916},"Phased migration in departmental waves","Migrate in waves over 8–16 weeks — email addresses are preserved, data is migrated 1:1, employees are trained. Compliance documentation for GDPR / NIS2 / BSI audits runs throughout.",{"src":918},"https://images.unsplash.com/photo-1563013544-824ae1b704d3?w=1200&q=80",{},true,"/en/blog/nis2-gdpr-microsoft-paradox",{"title":53,"description":884},"en/3.blog/10.nis2-gdpr-microsoft-paradox","muhRoVYprubPmWQpIXY484SITecGqQv0x42PuJ6H2Sw",[926,930],{"title":927,"path":730,"stem":928,"description":929,"children":-1},"Microsoft 365 vs. Open Source – The Big Cost Comparison for SMEs","en/3.blog/1.microsoft-vs-opensource","What does Microsoft 365 really cost? We calculate what SMEs with 20 employees can save by switching to open source.",{"title":931,"path":97,"stem":932,"description":933,"children":-1},"BSI IT-Grundschutz and Microsoft 365 – Why the Combination Cannot Be Compliant","en/3.blog/11.bsi-it-grundschutz-microsoft-365","Germany's BSI demands demonstrable control over keys, location and audit in its IT-Grundschutz catalogue. Microsoft 365 fully meets none of the critical modules. We walk through OPS.2.2, APP.5.2, CON.1, CON.3 – and the migration path that does work.",1779405609254]