The notice may seem technical at first, but it has considerable strategic implications: Microsoft confirms that recovery keys for BitLocker hard disk encryption can be released to law enforcement authorities under certain conditions.
According to Microsoft, the company receives around 20 requests a year from investigating authorities for BitLocker recovery keys. As the US magazine Forbes reports, Microsoft handed over such a key to the FBI for the first time last year - as part of a criminal investigation into fraud in connection with a Covid aid program on Guam. Microsoft points out that although storing the keys in the online account makes recovery easier, it also increases the risk of unwanted access. In principle, customers could decide for themselves how they manage their keys. However, it is critical that Microsoft has increasingly restricted the use of local Windows installations without an online account in recent years - which effectively increases the number of centrally stored keys.
For companies, this is not just a question of IT configuration, but also one of governance and risk. BitLocker also protects data that requires a high level of protection: health data, official files, price and contract information, intellectual property and research and development data. The fact that encryption keys are outside the company's control and can be accessed via legal channels in case of doubt is particularly problematic for organizations with regulatory obligations. In addition, as a US company, Microsoft is subject to the US CLOUD Act, which allows US authorities to access data under certain conditions - even if it is stored outside the USA. The Microsoft Law Enforcement Requests Report published every six months illustrates the scale of the problem: between July and December 2024, over 5,000 investigation requests were received from Germany alone , relating to almost 10,000 accounts.
The BitLocker case is not an isolated incident, but symptomatic of a structural dilemma of modern cloud and platform models. The greater the convenience, central administration and close integration, the more control shifts from the user to the platform operator. Even if providers emphasize that they will only release data if ordered to do so by a court, there is still a residual risk for companies - especially in cross-border jurisdictions. Data protection and civil rights organizations such as the American Civil Liberties Union have been pointing out for years that centrally stored keys and metadata are of particular interest to government agencies.
Against this backdrop, there is an increasingly open debate as to whether genuine European data sovereignty is even achievable with US providers. One much-noticed example is the move by the state of Schleswig-Holstein to decouple large parts of its IT workstations from proprietary US providers and to rely on open alternatives that can be controlled by Europe. The explicit aim is to reduce dependencies on US jurisdictions and platforms. Even if this path is challenging, it shows that data sovereignty is increasingly understood as a strategic infrastructure issue - not just a legal one.
For authorities and companies with sensitive data, the focus is therefore shifting to alternative architectures. These include infrastructures and cloud services in European hands, consistent customer-owned key management, a clear separation of data, identities and access rights as well as operation in European data centers without reference to US law. The use of private AI approaches, in which models and training data remain entirely under the company's own control, is also gaining in importance. Such concepts require more planning than standardized public cloud models, but offer a significantly higher degree of control and legal certainty.
The BitLocker case makes it clear that encryption alone does not guarantee data sovereignty. The decisive factor is who has control over keys, platforms and operating models. Genuine European data sovereignty therefore begins with fundamental infrastructure decisions: key management, the choice of sovereign cloud architectures and the question of how AI applications are operated and trained.
Securecloud supports organizations with precisely these issues - for example in the design of sovereign cloud infrastructures, customer-specific key and identity concepts and private AI scenarios for particularly sensitive data. This allows dependencies on the US tech stack to be reduced and regulatory requirements to be implemented sustainably. The current discourse shows: The crucial question is no longer whether data sovereignty is relevant, but how consistently companies and authorities anchor it in their infrastructure.