Digital Sovereignty is Not a Product: The Multi-Level Architecture According to Microsoft
Digital Sovereignty is Not a Product: The Multi-Level Architecture According to Microsoft
Digital sovereignty has firmly entered the agenda of Italian companies, driven by European regulations and an unstable geopolitical framework. However, it remains a term without a shared definition, and it is precisely from this absence that the Microsoft Sovereignty & AI Summit began, hosted in Rome at the Elis headquarters in Villa Tassini. Opening the proceedings was Vincenzo Esposito, CEO of Microsoft Italy, who framed the day within a broader context: sovereignty is one of the components of the strategy with which Microsoft accompanies companies in adopting AI, a strategy the company calls Frontier Transformation. The prerequisite, observed Esposito, is that technology is no longer the critical point: "technology exists, it’s ready, we have plenty of it, but there is a significant gap between companies that look at innovation and those that then implement it concretely."
Instead, the concept of sovereignty was described by Irene Sardellitti, National Technology Officer of Microsoft Italy, who started with a question addressed to organizations: "We ask customers or organizations what sovereignty means to them, as we are the service providers, those who provide the appropriate solutions to address their needs."
On this basis, Microsoft has formulated its definition, which excludes two opposing extremes. "Our definition does not foresee isolation or autarky, but enables all organizations to experience the digital economy safely and independently, with a certain degree of control," explained Sardellitti. The qualifying point is that sovereignty does not coincide with a product: "it is not a solution, but the result of technological, contractual, and process levers." The operational consequence is that the journey begins with a risk analysis, recognizing that different data has different sensitivities and must be treated accordingly. An ordinary data, a critical data, and a strategic data do not require the same guarantees, and mapping these criticalities precedes any technological choice.
Technology and Know-How: Where Value is Born
If Sardellitti defines the perimeter of the concept, it is in Esposito's strategic reading that sovereignty finds its economic rationale, and it is here that the circle opened at the beginning of the day closes. His thesis is that AI models, now accessible to anyone, no longer represent a differentiating factor: competitive advantage stems from the intersection between technology and the knowledge and data heritage of each organization. This is a point that directly links sovereignty to value, because what makes a company truly distinguishable is not the model but the way it applies it to its own data. The difference, emphasized Esposito at Edge9 on the sidelines of the event, does not lie in the technology available but in the ability to put it into production.
From here, Esposito insisted on a pair of concepts: intelligence and trust. "I entrust my data to technology, so it is essential to have a level of integration between technology and trust," he observed, recalling the need to monitor what software agents do, to which data they have access, and on what compliance criteria they operate. In this area, Microsoft also brings certifications: Copilot, the tool with which the company opens access to generative AI, has achieved compliance with the ISO/IEC 42001 standard, dedicated to the responsible management of artificial intelligence systems.
The third element, alongside infrastructure and trust, is culture. "Culture and technology are the two sides of the same sovereign coin," summarized Sardellitti, because without widespread skills, tools do not translate into competitiveness. This falls under the Microsoft Elevate program, which arrived in Italy in September 2025 with the goal of training over 400,000 people in two years, at different levels depending on needs. Esposito himself, recounting the experience of the Microsoft AI L.AB., an accelerator that now counts over 400 Italian companies, indicated that the involvement of people is the real discriminator: "what separates companies that succeed in implementing artificial intelligence from those that do not is the involvement of people."
Security remains the overarching prerequisite for the entire framework. Microsoft places it within the Secure Future Initiative, the initiative with which it has redesigned its services according to security criteria already in the design phase, defaulted, and in operations, relying on a team of 34,000 engineers dedicated to cybersecurity and using AI models to improve code quality and identify vulnerabilities.
A Continuum of Architectural Options
The tools with which Microsoft translates this idea of sovereignty into practice form what Sardellitti describes not as a switch between alternatives but as a continuous range. "Microsoft offers various architectural approaches, which include the public cloud, the sovereign offering of public cloud, private cloud with an on-premise solution, and hybrid solutions with partners," she listed, calling them "a continuum of options that address different needs." The first level remains the public cloud, built on Azure, which, according to the company, covers most sovereignty needs thanks to additional controls over data and operations. On the data side, there is encryption at rest, in transit, and in use, the latter entrusted to Azure Confidential Computing. On the operational side, the EU Data Boundary acts, which confines data storage and processing within Europe, and the Data Guardian, which monitors Microsoft personnel's access to systems managed on the continent.
Alongside these technological levers are contractual guarantees. The Microsoft Data Protection Addendum stipulates that the company does not grant any government access to customer data, that every request is evaluated by a legal team, and that requests received are reported periodically. For organizations concerned about the implications of the US Cloud Act, Microsoft adds a technical argument: if the customer encrypts their data with keys that the company does not control, that data remains inaccessible even to the provider. An additional contractual appendix also commits Microsoft to contesting a potential order to suspend services in Europe in court.
When the public cloud is not enough, the second level is the on-premise private cloud based on Azure Local, which operates both in connected and disconnected modes and reproduces the user experience of Microsoft 365 through a local version of the suite, with the possibility of running AI models on-site. The third level is the hybrid cloud built with partners, including in Italy Retelit and Aruba, which host data in their own data centers alongside Azure services. Making all this concrete is the direct infrastructural presence: with the Italy North region, resulting from a €4.3 billion investment announced in 2024, companies can maintain data and processing not only in Europe but on national territory. "We can localize data in Italy and take advantage of services directly from Italy North," confirmed Sardellitti.
The framework in which all this is located is that of the European commitments made by Microsoft in April 2025, when President Brad Smith presented five commitments for the digital stability of the continent, from the expansion of cloud infrastructures to the promise of operational continuity in the face of geopolitical pressures. Together, Sardellitti's architectural framework and Esposito's strategic reading deliver a precise positioning: Microsoft does not present sovereignty as an alternative to innovation or security but as a variable to balance with both. For Italian companies, especially those in regulated sectors, the issue shifts from the choice of a product to the ability to map the criticality of their data and associate with it the appropriate architectural level. It is a reading that brings the discussion from the level of the European debate on sovereign models to the more concrete level of how each organization secures and utilizes its information assets.