EU Commission’s Microsoft Reliance Under Scrutiny
European Commission officials are raising alarms over their dependency on Microsoft, suggesting it may breach EU data regulations. The main concern revolves around the use of Microsoft365 as the Commission’s digital workspace, which has drawn scrutiny for potential security and privacy issues. The European Data Protection Supervisor (EDPS) has instructed the Commission to ensure compliance with EU data protection rules, yet progress towards finding less intrusive European alternatives remains minimal.
Internal documents reveal a significant gap between the EU’s ambition for IT autonomy and its current reliance on American technology. French authorities have voiced concerns about the risks linked to using US-based solutions. The Directorate-General for Digital Services (DG DIGIT) also highlighted the dangers of depending on a single supplier, such as potential price increases and migration challenges, though the Commission has not publicly addressed these issues.
The EDPS ordered the Commission in March 2024 to review its contract with Microsoft to align with EU data protection standards. However, the Commission contested this order, claiming compliance with the rules. The EDPS is currently reviewing the Commission’s submitted documentation while maintaining that the March decision remains valid. This situation underscores the broader security concerns tied to the lack of control over data handled by Microsoft.
As the Commission grapples with these challenges, there is no equivalent body to the EDPS for cybersecurity oversight. This lack of a dedicated cybersecurity agency may lead to underreporting of sensitive information to continue using Microsoft services. The upcoming election of a new EDPS chief could influence the direction of future data protection enforcement, with candidates offering varying degrees of alignment with Commission practices.
Source: Internal documents reveal Commission fears over Microsoft dependency
