SecurityData sovereignty & compliance

Data Sovereignty in Business Central: What EU Companies Need to Know

Where does your ERP data live? Who can access it? Can a foreign government force disclosure? These are the questions every European CFO and CIO is asking right now — and Business Central has concrete answers.

Geopolitical volatility has made data sovereignty a board-level concern. European companies — especially in Luxembourg’s financial sector — need guarantees that their ERP data stays in Europe, is encrypted, and can’t be accessed without explicit consent. Microsoft has responded with a comprehensive framework: the EU Data Boundary, completed in February 2025, plus four pillars of sovereignty controls built into Business Central and the Azure platform.

The EU Data Boundary

Microsoft’s EU Data Boundary is a geographically defined boundary covering EU + EFTA countries. It guarantees that customer data, pseudonymized personal data, and professional services data (including from technical support interactions) are stored and processed within the boundary.

Phase 1

Jan 2023

Customer data storage

Phase 2

Jan 2024

Pseudonymized personal data

Phase 3

Feb 2025

Professional services data

Applies automaticallyto all Business Central environments with a localization for an EU or EFTA country. No configuration needed — it’s on by default. Copilot features also stay within the boundary when your environment is in the EU.

Microsoft’s 5 Digital Commitments to Europe

Beyond the technical controls, Microsoft has made five public commitments to the European market:

Expand AI & Cloud ecosystem — 40% datacenter capacity increase across 16 European countries.
Uphold digital resilience — European digital resilience commitment in all government contracts. When necessary, Microsoft will go to court.
Protect European data privacy — EU Data Boundary, encryption, promise to compensate customers if data is disclosed in violation of EU law.
Defend Europe’s cybersecurity — Consolidated cybersecurity council for DORA, NIS 2, and CRA compliance.
Boost economic competitiveness — Open-source AI models, no exit fees when transferring to another cloud provider.

Four Pillars of Sovereignty Controls

Business Central’s sovereignty framework is built on four pillars: access, security, sovereignty, and transparency. Each contains configurable controls that you can enable based on your regulatory requirements.

Access Controls

Role-Based Access Control (RBAC)

License entitlements + permission sets define what each user can see and do. Granular, auditable, per-environment.

Privileged Identity Management (PIM)

Just-in-time admin access with automatic expiry, MFA enforcement, approval workflows, and regular access reviews. No standing admin privileges.

Granular Delegated Admin (GDAP)

Control which partners can access which environments. Scope by role, duration, and specific users. Least-privilege by design.

Security Controls

Tenant Data Isolation

Each BC environment has its own dedicated, isolated database. Multi-tenant infrastructure, single-tenant data.

Encryption at Rest (TDE)

All databases, backups, and transaction logs encrypted by default using Transparent Data Encryption.

Customer-Managed Keys (CMK)

Bring your own encryption key via Azure Key Vault. Rotate on demand. Revoke to make your data undecipherable by anyone — including Microsoft.

Sovereignty Controls

Data Residency

Environment localization determines the Azure Geo. Your data stays in that geo — period. Multi-geo deployments supported for global organizations.

EU Data Boundary

Customer data, pseudonymized personal data, and professional services data stored and processed within EU + EFTA. Completed February 2025.

Zone-Redundant Backup

Automatic backups are geo-redundant or zone-redundant within your selected Azure Geo. Backups never leave the region.

Transparency Controls

Customer Lockbox

Approve or reject every Microsoft engineer data access request. Access is time-limited (8 hours) and fully logged.

Microsoft Purview

Audit admin operations — environment administration, extension configuration, user management, Copilot configuration. Full forensic trail.

Change Log & Field Monitoring

Track every data change by user. Get alerts when sensitive fields are modified. Built into BC, no third-party needed.

Beyond Public Cloud: Sovereign Cloud Options

For organizations with requirements beyond the public cloud, Microsoft offers additional deployment models:

Sovereign Private Cloud

Microsoft-validated hybrid or disconnected cloud at your own location.

Blue (France)

Independently owned and operated by Orange & Capgemini. Built for French government requirements.

Delos Cloud (Germany)

Independently operated by SAP & Arvato Systems. Purpose-built for German public sector.

What this means for your organization

If you are a Luxembourg-based company — especially in financial services, government, or any regulated industry — Business Central on the Microsoft cloud gives you more sovereignty controls than most on-premises deployments ever had. Encryption at rest, customer-managed keys, just-in-time access, Customer Lockbox, full audit trails, and a contractual commitment that your data stays in Europe.

The question is no longer “is cloud safe enough?” — it’s “have you configured the controls that are already available to you?” We help you do exactly that.

Request a security review →Strategic Transformation

Sources: Microsoft Learn — Sovereignty Controls · Microsoft — EU Data Boundary Completion · Directions EMEA 2025 — Cloud for Sovereignty session

← Back to all insights

Frequently Asked Questions

Common Questions

Where is my Business Central data physically stored?

Your data resides in Azure data centers determined by your environment localization. For Luxembourg, Belgium, France, and Germany, data stays in the Europe Azure Geo. Italy and Poland are moving to dedicated local Azure Geos in 2026. Data never leaves the geo you selected.

What is the EU Data Boundary?

A geographically defined boundary covering EU + EFTA countries. Since February 2025, all customer data, pseudonymized personal data, and professional services data for Business Central, Microsoft 365, Power Platform, and Azure stays within this boundary. No exceptions.

Can Microsoft engineers access my data?

Only through just-in-time (JIT) access controls — time-limited, logged, and requiring approval. With Customer Lockbox enabled, you must explicitly approve any Microsoft engineer access request before they can see your data.

Can I bring my own encryption key?

Yes. Business Central supports customer-managed encryption keys (CMK). You control the key in Azure Key Vault. You can rotate it on demand or revoke it entirely — making your database undecipherable by Microsoft.

Does Copilot send my data outside the EU?

No. When your Business Central environment is hosted within the EU Data Boundary, Copilot uses Azure OpenAI endpoints within the same boundary. Your data stays in the EU at all times.

Can SK Consulting help configure sovereignty controls?

Yes. We configure RBAC, Privileged Identity Management, GDAP, Customer Lockbox, and customer-managed encryption as part of our implementation and security review services. For regulated industries (financial services, government), this is standard practice.

Concerned about data sovereignty?

We configure sovereignty controls — RBAC, PIM, GDAP, Lockbox, CMK — as part of every Business Central implementation for regulated industries.

Talk to a security expert