An early look at the EU Data Boundary

An early look at the EU Data Boundary

I briefly wrote about the EU Sovereign Cloud in March of this year. Fast forward to today, and we have the official announcement from Microsoft – the EU Data Boundary is being rolled out in a phased manner from January 1, 2023. I’ve waited for a long for this to finally happen, so let’s take a look at what the announcement is about and what this means.

What is the EU Data Boundary?

To quote Microsoft, it’s a “geographically-defined boundary within which Microsoft has committed to store and process customer data for our major commercial enterprise online services.” If you conduct business in the EU or EFTA (the European Free Trade Union) area, this might and probably will affect you in some ways – major or minor.

The EU Data Boundary affects Azure, Dynamics 365, Power Platform, and Microsoft 365. In essence, it’s a process and documentation of how Microsoft manages, analyzes, transmits, and stores customer data. It isn’t a tool, a new service, or a paid offering.

Since I’m based in Finland (which is part of the EU but not EFTA, as EFTA only has four member states: Iceland, Liechtenstein, Norway, and Switzerland), this pertains to my future projects.

Questions I sometimes receive during projects include:

  • “Where is our data? Is it in the EU?”
  • “What data goes outside the EU?”
  • “How can we be sure the data stays in the EU?”

I got a few papercuts during a project a few years back when we assumed all data was in the EU per our configurations. It turns out certain data was transmitted to the US. See my initial blog post on this topic here. Will the EU Data Boundary help in scenarios like these? Not immediately, I’m afraid.

If I use Microsoft Azure, is all my data in the EU?

No, it isn’t. When you deploy and configure services in Azure, you choose a region. Us in the EU region, we typically use West Europe (the Netherlands) and North Europe (Ireland). We can also choose more country-specific regions, such as Sweden Central.

Let’s consider a simple example. I provision a new Storage Account in the West Europe region. My data will sit in the Netherlands physically. That is all. But it gets more complicated once you add auxiliary services to manage, perhaps, monitor, or analyze your data in said Storage Account.

Certain services in Azure have exceptions for the EU Data Boundary. There are non-regional services are not bound to a specific region (such as West Europe). They don’t have a dependency, and some require rearchitecting from Microsoft to become EU Data Boundary compliant. As of today, the following services are not compliant with the EU Data Boundary – but these services also do not handle customer data:

  • Azure Advisor
  • Azure DNS
  • Azure Lighthouse
  • Azure Network Function Manager
  • Azure Open Datasets
  • Azure Service Health
  • Traffic Manager

Currently, the goal is that during 2023 and 2024, this rearchitecting work will complete.

The non-compliant and non-regional services that might store customer data include Azure Resource Manager, Azure DevOps, Azure Active Directory, and Azure Active Directory B2C. See further details here. In addition, Azure Front Door (and the CDN capability) and Windows 10 IoT Core Services are excluded as they are global services by design.

Further, Azure Monitor has several aspects that are not EU Data Boundary compliant. This includes the Activity Log and Application Change Analysis. Other elements of Azure Monitor, such as Log Analytics Workspace, are EU Data Boundary compliant.

Other aspects

The situation is rapidly becoming better now. I like there is more transparency into particular aspects of certain Azure services and their compliance with the EU Data Boundary. Some documentation around this is an explanation of why a given service is not compliant rather than a specific solution. We sometimes need “black on white,” even if the result is not perfect.

I’ll monitor the content and announcement around this topic in the coming months. For now, I’m not overly pleased with the last-minute commitment from Microsoft (“by the end of the year,” and then we get a bit of documentation about ten days before the self-imposed deadline). At the same time, I’m glad we’re making progress on this.

Additional resources