EN FR
SYAGA Consulting Sovereignty Proof, not promises.

Sovereignty - Microsoft 365

CLOUD Act and Microsoft 365: what Microsoft admitted before the French Senate

In June 2025, before the French Senate's inquiry committee, Microsoft France's director of public and legal affairs answered "No, I cannot guarantee it" when asked whether he could ensure that French citizens' data would never be handed over to the US government without the agreement of French authorities. In other words: your Microsoft 365 emails, files and identities, even hosted in Europe, remain legally reachable via the CLOUD Act.

The fact: Anton Carniaux's (Microsoft France) reply to the French Senate: "No, I cannot guarantee it, but it has never happened."

The fact, sourced

What Microsoft France told the French Senate

French Senate, June 2025. Hearing of Microsoft France by the inquiry committee on public procurement. Question asked: can French citizens' data be transferred to the US government without the agreement of French authorities? Answer: "No, I cannot guarantee it, but it has never happened."

During the same hearing, Microsoft France stated that, since January 2025, European customers' data contractually no longer leaves the Union. These technical measures do not, however, override the US legal obligation.

The CLOUD Act (US law of 23 March 2018) authorises US authorities to require access to data held by a company under US jurisdiction, wherever that data is stored, including in Europe.

This is not theoretical

Even the European Commission was in breach

EDPS, 8 March 2024. The European Data Protection Supervisor found that the European Commission's use of Microsoft 365 breached Regulation (EU) 2018/1725 (purpose limitation, international transfers, unauthorised disclosures) and ordered the suspension of certain data flows. The Commission has since remediated the situation, in 2025; but the initial finding remains telling.

What this means

For your SME

Your Microsoft 365 tenant concentrates what is most sensitive: mailboxes, documents, identities, access rights. The CLOUD Act does not spare you because you are an SME. The right question is no longer "is this serious?" but "who, besides you, can see or demand this data?"

The trap

An audit that makes the problem worse

To assess your Microsoft 365 security, most providers require broad access and take away a copy of your configuration, sometimes of your data, onto their own servers. You then add a new exposure: that of the auditor itself, who becomes a new target. If they get hacked, the map of your weaknesses ends up out in the wild.

Our answer

The audit that takes no copy

We measure your Microsoft 365 security posture without ever taking away your data. The analysis reads your configuration (the settings), not your content (no emails, no files), and you verify it yourself in your own Microsoft logs. Method: ZKPA (Zero-Knowledge Posture Assessment), hosting in Europe, open-source building blocks.

Get your assessment as soon as it opens

Frequently asked questions

CLOUD Act, M365 and auditing

Does the CLOUD Act apply if my data is hosted in Europe?
Yes. It targets the company under US jurisdiction that holds the data, regardless of where it is stored. This is precisely what Microsoft France admitted it cannot neutralise (French Senate, June 2025).

Does a security audit necessarily require copying my data?
No. Posture can be measured by reading the configuration and proving it in your own logs, without taking away a copy (copy-free audit / ZKPA).

Am I affected if I run a small business?
Yes: protection does not depend on your size but on who holds and can demand your data.