Europa-only Alternative zu Microsoft Azure.
Microsoft Azure is the cloud most often defended with the words "but we already use Microsoft for everything." That defence does not survive a Schrems II analysis: Microsoft Corporation is a US company, every Azure subsidiary is US-controlled, and Microsoft has explicitly acknowledged in court (Microsoft Ireland, 2018) that it would comply with valid US legal process for data anywhere globally — which is precisely what the CLOUD Act later codified. The "Microsoft Cloud for Sovereignty" and Bleu (Microsoft × Capgemini × Orange) initiatives are interesting but technology-licensed from a US parent. For genuine EU sovereignty, you exit. Below is the map.
"EU-Region" ist keine Souveränität. Vier Fragen entscheiden.
Datenresidenz sagt, wo die Daten liegen. Souveränität sagt, welches Rechtssystem Zugriff erzwingen kann. Die Antwort muss in allen vier Punkten stimmen — sonst ist der Stack nicht souverän.
Wo sind die Daten physisch gespeichert?
Nicht "in der Cloud" — welches Rechenzentrum, in welchem Land, unter welcher Rechtsordnung.
Wer ist sonst noch in Ihrem Datenpfad?
Jeder Anbieter, der die Daten berührt: das CDN, das E-Mail-Relay, der Error-Tracker, die Analytics-Pipeline.
Wessen Gesetze können die Offenlegung erzwingen?
Ein Anbieter mit US-Hauptsitz unterliegt FISA 702 und dem CLOUD Act — auch wenn die Daten in Frankfurt liegen.
Wer hält tatsächlich die Verschlüsselungsschlüssel?
Wenn der Cloud-Anbieter sowohl die Daten als auch die Schlüssel besitzt, sind die Daten für ihn lesbar — unabhängig von einer AVV.
Scheitert an Rechtsmacht und Schlüsselverwahrung.
EU-Daten, US-Mutterkonzern, US-Subprozessoren im Standardpfad, vom Anbieter verwaltete Schlüssel.
Besteht in allen vier Punkten.
EU-gehostet auf Infrastruktur mit EU-Hauptsitz. Null US-Subprozessoren im Standardpfad. Kunden- oder EU-KMS-Schlüssel. Namentlich in Ihrer Artikel-28-AVV aufgeführt.
Warum Teams aussteigen Microsoft Azure
Azure exits typically come from one of three triggers: a public-sector tender that explicitly excludes US-jurisdiction processors, a healthcare or financial services audit that flagged Microsoft 365 + Azure as a single concentration risk under DORA, or a CISO who calculated that the licence true-up costs and "free" Azure credits actually translate to vendor lock-in worth six figures. The Azure ecosystem has tighter coupling than AWS — Active Directory, Office 365, Defender, Sentinel are typically all in the mix — which makes the migration more invasive than its AWS equivalent. It is still doable; we have done it.
Microsoft Azure Dienste und ihre EU-only Äquivalente
Eine Migration ist nicht "eine Box gegen eine andere tauschen". Die Zuordnung unten ist das, was wir für Kunden ausführen, die Folgendes verlassen: Microsoft Azure aus Schrems-II-Gründen — volle EU-Rechtsmacht, keine US-Mutter im Datenpfad.
| Microsoft Azure Dienst | EU-only Alternative | Engineering-Hinweis |
|---|---|---|
| Azure Virtual Machines | Hetzner Cloud, OVH, IONOS, Scaleway Instances | IaaS migration is straightforward; the Windows licensing chapter requires more thought (BYOL or move to Linux-where-possible). |
| Azure Blob Storage | OVH Object Storage, Wasabi EU, self-hosted Ceph or MinIO | S3-compatible EU storage is the migration target; SDK changes are minimal. |
| Azure SQL Database | Azure → PostgreSQL or MySQL on EU managed providers (OVH, Aiven), or self-managed | Schema porting from Azure SQL (T-SQL flavour) is the longest single task; tools like AWS SCT or pgloader help. Often a good moment to revisit ORM choices. |
| Azure Front Door / CDN | Bunny.net, KeyCDN | Bunny offers comparable POP density and dramatically lower per-GB pricing. |
| Azure DNS | Hetzner DNS, Bunny DNS, deSEC | For most use cases Hetzner DNS is sufficient; deSEC adds DNSSEC by default. |
| AKS (managed Kubernetes) | Scaleway Kapsule, OVH Managed Kubernetes, IONOS K8s, or self-managed Talos / K3s on Hetzner | Helm charts and YAML transfer cleanly; Azure-specific addons (Application Gateway Ingress, Azure CNI) need replacement with standard equivalents. |
| Azure Functions | Scaleway Serverless Functions, self-hosted Knative or OpenFaaS | Most Azure Functions workloads fit a small EU Kubernetes cluster running Knative. |
| Azure Active Directory / Entra ID | Keycloak (RH-sponsored) on EU infra, Authentik (DE), self-hosted SCIM/OIDC providers | The hardest single migration. Plan for a 3-month parallel-run window. SSO integrations across SaaS need re-mapping. |
| Azure Service Bus / Event Grid | Self-hosted RabbitMQ or NATS, Apache Kafka on EU compute | Managed queueing options in the EU sovereign space are limited; self-managed is standard. |
| Azure Monitor / Application Insights | Self-hosted Prometheus + Grafana + Loki + Tempo, or Grafana Cloud EU region | OpenTelemetry instrumentation makes the swap mechanical for application code. |
| Azure Cosmos DB | PostgreSQL with appropriate indexing on EU managed services, or ScyllaDB / FoundationDB self-hosted | No 1:1 replacement for global multi-region active-active; if your workload truly needs that pattern, the conversation is different. |
| Defender / Sentinel (security) | Wazuh (self-hosted), CrowdSec (FR), self-hosted SIEM on EU compute | CrowdSec is FR-headquartered and increasingly competitive in the SIEM/IDS space. |
| Key Vault | Hashicorp Vault on EU infra, optionally HSM-backed | Vault is the production-grade sovereign answer; we operate it for clients. |
| Microsoft 365 (email, Teams, OneDrive) | mailbox.org (DE), Tuta (DE), Nextcloud (DE) for storage, Element/Matrix or Mattermost for chat | Often the harder political conversation than the infrastructure migration. Frequently kept on M365 with documented exposure rather than migrated. |
Wie wir migrieren von Microsoft Azure
Eine typische Mittelstand-Migration läuft in drei Phasen. Die Zahlen unten gehen von einem 6–10-köpfigen Engineering-Team und einem mäßig komplexen Anwendungs-Stack aus.
Audit & ID-mapping
Inventory Azure services, Entra ID dependencies, SSO integrations and licensing. The identity layer is the longest tail. Output: phased plan with the SSO migration scoped separately.
Edge, monitoring, soft dependencies
Replace Front Door, Azure DNS, App Insights and Blob Storage. Pre-stage EU compute and replicate database. Move CI/CD off Azure DevOps if applicable.
Compute, DB, identity cutover
AKS workloads to managed EU K8s. SQL Database to PostgreSQL with logical replication for live cutover. Identity migration with parallel-run; cut SSO over per application.
5-year TCO on Azure exits we have run: typically 25–45% cheaper, with the largest savings coming from licence true-up avoidance and bandwidth/egress. Bear in mind: if your team uses Microsoft 365 and is staying on it, the identity-layer migration only partially decouples — that decision belongs at board level.
Häufig gestellte Fragen
Does Microsoft Cloud for Sovereignty solve the Schrems II problem?
It improves the documentation story but does not change the underlying jurisdiction: Microsoft Corporation remains the parent. For workloads where the analysis turns on parent-jurisdiction (i.e. most regulated workloads after Schrems II), it is not sufficient on its own.
What about Bleu? Or T-Systems Open Sovereign Cloud?
Bleu (Microsoft × Capgemini × Orange) and T-Systems Open Sovereign Cloud (Google Cloud licensed) are pseudo-sovereign offerings — operated by EU-headquartered entities under licence from a US technology partner. They can satisfy specific regulatory requirements (notably the French SecNumCloud certification for Bleu) but inherit a stack they cannot independently maintain. For most buyers, a clean EU-native stack is the architecturally simpler answer.
Can we leave Azure but keep Microsoft 365?
Yes, and many of our clients run that hybrid. The trade-off is that personal data flowing through M365 (email content, OneDrive files, Teams chat) remains under Microsoft processing. Document it in your DPA, apply supplementary measures (encryption at rest with EU-held keys for sensitive folders), and keep customer-data infrastructure on the sovereign stack.
How does this affect our Microsoft Enterprise Agreement?
Existing EAs typically have annual or multi-year terms; the migration target is to stop the next renewal or right-size it, not to break the current contract. Your account manager will offer concessions when they hear "we are evaluating sovereign alternatives." Use that.
Is Active Directory replaceable in practice?
Replaceable in stages. Keycloak handles OIDC/SAML/SCIM well; for Windows-domain authentication on physical desktops, Samba 4 with FreeIPA is the established open-source path. The transition typically runs alongside a "modern workplace" simplification — fewer per-app SSOs, more standard OIDC.
How long does an Azure exit take?
For a mid-size workload (50–200 VMs, 1–2 SQL DBs, AKS, Entra ID): 16–24 weeks elapsed time. With a managed-infrastructure partner driving the choreography: 10–16 weeks. The identity layer is the schedule risk, not the compute.
Plane deinen Exit von Microsoft Azure.
30-minütiges Scoping-Gespräch. Wir bilden Ihren Stack auf EU-only Alternativen ab, schätzen den Migrationsaufwand und sagen Ihnen, ob es die richtige Entscheidung ist.