Microsoft's Exit: Denmark Shows the Pragmatic Way

While strategies are still being discussed in Germany, Denmark is creating facts - step by step, pragmatically, parallel to existing Microsoft contracts and completely without ideology. This is precisely why it is the most interesting lesson of the year.

Three dates, one message: Denmark is getting serious: in June 2025, Digital Minister Caroline Stage Olsen announces the exit from Microsoft in her own ministry. On December 15, 2025, Michael Ørnø, Director of Statens IT, hands over the first Microsoft-free government PC to Stefan Søsted, Director of the Danish Road Traffic Authority Færdselsstyrelsen, in Ribe. The SIA Open pilot project will roll out in spring 2026: around 600 employees of the authority are to gradually replace Windows, Word, Excel, Outlook, Teams and Edge with NixOS-based Linux and LibreOffice. The Danish government's goal is for up to 15,000 employees in the state administration to switch to the alternative system by the end of 2026.

DR (Danmarks Radio), the specialist portal Ingeniøren, heise online and ZDNet.de, among others, have reported on this.

What is really new

The fact that a European authority is leaving Microsoft behind is no longer news in 2026. Schleswig-Holstein is right in the middle of it, the International Criminal Court (ICC) is switching to openDesk, France and the Netherlands are working on joint administrative software. What makes Denmark stand out is its sober and pragmatic approach.

- Firstly, the system. SIA Open - short for "Statens IT Arbejdsplads Open" - is a proprietary Linux distribution based on NixOS, built by the Danish open source specialist Semaphor on behalf of Statens IT. NixOS is not an end in itself. The operating system is immutable, meaning that it can be described completely declaratively in a single configuration file. What sounds like a nerd detail is actually relevant from a business point of view: defective computers can be restored to a precisely defined state in minutes instead of an IT department manually applying patches. LibreOffice for office applications, Thunderbird for e-mail, Firefox as a browser and the case management system F2 from the Danish provider cBrain are also used.

- Secondly: the sequence. Statens IT deliberately hands over the first PC to a director - not a clerk. Stefan Søsted used the computer for over six weeks before his authority went into rollout. His verdict to DigiTech sounds unspectacular, which is precisely why it is reliable: "My first impression was that the device runs very quickly. If it stays that way, it's almost an upgrade." Søsted even canceled his private Microsoft licenses as a result.

- Thirdly: the target size. With 600 employees in eleven teams at its headquarters in Ribe, Færdselsstyrelsen is large enough to test real operations and small enough to remain controllable. Scaling up to 15,000 users is planned, but not rushed. In an interview with the Danish broadcaster DR, Michael Ørnø describes the project with an image that would never be used in the PR-speak of all hyperscalers: "If it were about cars: there is no reason for everyone to drive a big Mercedes. Many people get along just fine in a VW."

Microsoft remains - and that is strategy, not weakness

In the comment columns, the argument is predictable: "They'll end up using Microsoft again anyway." It's true: Staten's IT has a long-term Microsoft framework agreement in parallel with the open source pilot. Windows remains available as a fallback, individual specialist applications continue to run on the familiar platform, and head of government Søsted can be quoted as saying something that would have been unthinkable two years ago: "We haven't canceled any licenses yet."

Anyone who sees this as a failure in disguise has the Munich LiMux trauma in mind and is missing the point: a two-track approach is not a retreat here, but risk management. An authority that tears down all bridges on the first day risks an operational standstill - including the citizens who can't get to their cars because the registration office is down. Caroline Stage Olsen put it this way in an interview with Politiken in June 2025: if the change proves to be too complex, Microsoft could be used again at short notice.

That's not timid. That is the definition of a functioning exit strategy: operate two systems in parallel, gradually dismantle the more expensive proprietary track and gain experience during this time of what is actually compatible - and what is not. This is exactly what the European Data Protection Supervisor (EDPS) and the German Federal Office for Information Security (BSI) have been advocating for years when talking about "cloud exit" and "reversibility".

Those who think of digital sovereignty only as a switch - on, off - will never achieve it. Those who think of it as a path will make progress.

The political framework: Berlin Declaration, EU procurement rules, EVB-IT

Denmark's move is not an isolated case. On November 18, 2025, all 27 EU member states signed the Declaration for European Digital Sovereignty in Berlin - a political commitment to reduce strategic dependencies and to be able to "autonomously and freely choose their own solutions". The summit was accompanied by a joint package of measures from France and Germany covering seven areas of action, documented by the Élysée. The Council of the European Union has adopted the document as the basis for future EU policy.

In Germany, the IT Planning Council Decision 2025/48 of November 2025 flanks this line at the level of public procurement law: with the amendment to the Supplementary Contract Terms for the Procurement of IT Services (EVB-IT), in force since March 2026, open source is for the first time the rule in public procurement for new developments - no longer the exception that has to be adapted manually. What Denmark is demonstrating in practice is therefore exactly the model that has already been declared the standard at EU level and in Germany.

Why authorities must act

Stefan Søsted explains his decision briefly and unsentimentally: it is about "being the master of your own house and retaining full control over your own data". This statement gets to the heart of the debate because it addresses two structurally different risks at the same time, which are almost always mixed up in the public debate.

The first risk is data access. The US CLOUD Act obliges providers subject to US law to hand over data in their "possession, custody, or control" - regardless of where the data is physically stored. Microsoft explicitly acknowledged in a French Senate hearing in the summer of 2025 that this obligation also applies to data stored in the EU and cannot be ruled out. This is precisely the reason why the 2025 legal opinion commissioned by the Federal Ministry of the Interior came to the conclusion that the physical storage location alone does not provide a protective shield.

The second risk is operational availability. If a provider restricts licenses, refuses updates or blocks accounts for legal or political reasons, the authority suddenly lacks not "just IT", but the ability to perform its core task. Since May 2025, the International Criminal Court, whose chief prosecutor Karim Khan temporarily lost access to his Microsoft emails following US sanctions, has provided a lesson in this - an event documented by the Associated Press and which prompted the ICC to switch to openDesk.

Søsted puts it in the political idiom of the public broadcaster DR: "If you make yourself too dependent on a few providers like Microsoft, you run the risk that they will demand too much." In reality, this economic formulation is the diplomatic packaging of a tough sovereignty argument. The figures prove him right: according to Politiken, Copenhagen's bill for Microsoft software rose from 313 million kroner in 2018 to 538 million kroner in 2023 - an increase of 72 percent in five years.

What German companies should take away from the Danish model

Public authorities and private companies differ legally, but operationally they face the same question: how do I reduce dependency without jeopardizing operations? Four points from the Danish approach can be directly transferred to the private sector.

- First: pilot before program. Statens IT is not starting with 15,000 users, but with one director in a public authority. Applied to companies, this means: choose a department in which a complete turnaround would be realistic and start there. First practice, then roadmap.

- Secondly: parallel operation instead of big bang. Anyone who lets the Microsoft contract run in the background out of operational responsibility is not acting half-heartedly, but economically. The lock-in will not be resolved in a quarter - but it will be resolved as soon as it becomes clear which workloads are actually tied to proprietary platforms and which are not.

- Thirdly: ownership instead of license, where it makes sense. Søsted says very clearly in the Danish report: "We will own everything ourselves and have full control over our IT development in the future." In the private sector, this does not necessarily mean in-house development - but it does mean a consistent separation between those parts of IT that are strategic (data sovereignty, identities, keys, sensitive content) and those that may remain commodities.

- Fourthly: Do not confuse the storage location with sovereignty. In its statement on the Danish move, Microsoft Germany argues that its own European data centers are subject to EU law. In legal terms, this is only half the truth - and the more irrelevant half in the event of a conflict. The decisive factor is the provider's jurisdiction, not the server location.

An illustrative example is the AWS European Sovereign Cloud: a US subsidiary with European governance can regulate operational access and secure supply chains - but it cannot finally resolve the structural conflict with Article 48 of the General Data Protection Regulation (GDPR) and the CLOUD Act.

What this means for regulated industries in Germany

For banks, insurance companies, law firms, tax consultants, clinics and authorities in Germany, Denmark is more than just a curiosity from the north. It is the first empirically reliable answer to the question of whether a gradual reduction in Microsoft dependencies works during ongoing operations. The answer is yes, if you understand sovereignty as a process and keep the right building blocks in your own hands.

The first of these building blocks is the platform for sensitive content - i.e. everything that involves client data, patient files, draft contracts or regulated communication.

Regulatory connectivity is provided by the certifications according to the Cloud Computing Compliance Criteria Catalogue (BSI C5) and ISO 27001. The new BSI criteria catalog C3A ("Criteria enabling Cloud Computing Autonomy") further refines the assessment of cloud sovereignty. All in all, this results in the building block that a German company or a German authority with high protection requirements should first have under its own control - before venturing into office suites and end devices.

This is particularly relevant for public authorities. Our Authorities & Public Sector industry page shows the typical use cases in detail.

Conclusion: pragmatism beats ideology

Denmark 2026 proves something that has been missing from many German strategy documents in recent years: digital sovereignty is not a manifesto that is adopted in a meeting. It is a sequence of concrete decisions, each of which is manageable. A first PC in the director's room. Six weeks of practical testing. Six hundred users in one authority. Fifteen thousand in the entire administration.

Whoever adapts this logic in Germany - pilot, parallel operation, ownership of the strategic layers - will not be free of US hyperscalers tomorrow. But in five years' time, they will no longer have to wonder what will happen if a US provider becomes a political threat. It is precisely this position that Stefan Søsted is referring to when he says "master in your own house". And this is exactly where regulated companies in Germany should start in 2026 - not with a grand ideological gesture, but with the first controlled step.