Microsoft’s AI-powered assistant, Copilot, will soon be sending data outside the European Union (EU) during peak demand hours unless administrators choose otherwise.
Microsoft has introduced flex routing, which allows large language model (LLM) inferencing – producing outputs to users’ prompts – to occur outside the EU Data Boundary during periods of peak demand to “maintain a consistent Copilot experience.”
The EU Data Boundary is a geographical boundary within which Microsoft stores and processes customer data and personal data for online services. In simple terms, it allows data to stay within European borders.
The company says data will be encrypted in transit and at rest, regardless of where LLM inference occurs, with the United States, Canada, or Australia being potential destinations for flex routing.
“Data at rest will continue to be stored inside the EU Data Boundary, except for limited pseudonymized data which may be stored outside the EU Data Boundary for security and operational purposes,” Microsoft’s statement reads.
Tenant administrators can disallow flex routing by changing settings in the Microsoft 365 admin center or Power Platform admin center.
The change will affect users in the EU and the European Free Trade Association (EFTA), which includes Iceland, Liechtenstein, Norway, and Switzerland.
Significant compliance gap
Danny de Vries, Hakim van der Maas, and Robbert Berghuis from Avanade, an IT service management company, write in their Substack post that enabling flex routing as the default marks a shift away from Microsoft’s cautious approach to the EU data boundary.
They argue that “limited pseudonymized data,” which may be stored outside the EU data boundary for “security and operational purposes,” likely refers to session IDs and usage timestamps.
However, they say the phrasing leaves room for ambiguity, highlighting a significant compliance gap.
“Organizations subject to GDPR need to know not just where data travels, but what remains, for how long, and who can access it,” the post reads, referring to the EU’s data privacy and security law.
GDPR, short for General Data Protection Regulation, requires companies to ensure the law’s protections travel with the data when it is transferred outside the EU.
Europe is saying goodbye to Microsoft
Microsoft has introduced flex routing as an increasing number of European countries replace the company’s products with local alternatives amid concerns about digital dependence on US technology companies.
Germany announced in March 2026 that all public-sector documents will be issued only in open formats, explicitly excluding proprietary formats such as Microsoft Word.
The conversation on this topic is live. Join in the discussion.
In 2025, Germany’s northernmost state, Schleswig-Holstein, announced that 80% of state government workplaces had switched from Microsoft software to open-source alternatives.
The Austrian Armed Forces switched from Microsoft Office to LibreOffice, an open-source German office suite, in 2025, citing efforts to strengthen the country’s digital sovereignty.
A similar transition was initiated by the Danish government last year, as the country grapples with Donald Trump's demands to hand over Greenland, an island that is part of the Kingdom of Denmark.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked