Norwegian businesses and public agencies using Microsoft's cloud services should take a fresh look at their privacy settings. A controversial change rolled out by the company may cause data processed by artificial intelligence to leave Europe and end up in the US or other countries outside the EEA — according to Digi.no, which first reported the story.
What is "Flex Routing"?
Microsoft's Copilot services use a mechanism called "Flex Routing". This allows requests from European customers to be temporarily routed to data centres in the US, Canada, or Australia during periods of high demand. According to available source material, the feature is disabled by default for EU tenants, but experts stress that organisations should confirm this actually applies to their own setups — and not take it for granted.
A further complication is that Anthropic, which has been a subprocessor for Copilot since January 2026, currently keeps its models outside Microsoft's EU Data Boundary. This means EU customers using Anthropic models in Copilot who have strict data residency requirements should disable this integration.
Norwegian organisations can no longer assume that "European cloud" is the same as "data in Europe" — configuration determines everything.

What is Microsoft's official commitment to European customers?
Microsoft has made significant investments to meet EU requirements. The company launched its "EU Data Boundary" initiative, which is intended to give commercial and public sector customers the ability to store and process core data exclusively within the EU and EFTA region. Services such as Microsoft 365, Dynamics 365, Power Platform, and most Azure services are in principle covered.
Microsoft has also announced a 40 percent capacity increase for European data centres over a two-year period, with the goal of more than 200 data centres across 16 European countries by 2027.
For the public sector, there is also "Microsoft Cloud for Sovereignty", designed specifically to meet stringent sovereignty and compliance requirements.
The US CLOUD Act — the underlying problem no one is solving
Even when Microsoft places data in European data centres, the company is subject to the US CLOUD Act as an American corporation. This means US authorities can in principle demand access to data stored in Europe, regardless of where the servers are physically located.
Microsoft says it will challenge such requests and only comply where legally required under EU law, and that it will notify affected customers where permitted. Nevertheless, experts in digital sovereignty point out that no US-based cloud provider can offer full sovereignty in a legal sense, precisely because of this extraterritorial reach.
What does this mean for Norwegian organisations?
For Norwegian organisations with strict privacy obligations — whether they operate in healthcare, public administration, or handle sensitive business data — this is not a matter of technical detail. It is a compliance issue.
The EU AI Act, which entered into force in August 2024 and from August 2026 will impose requirements on high-risk systems, elevates data residency from a legal preference to a technical requirement. It is no longer sufficient to select the right region from a dropdown menu — organisations must be able to document the geographical path data has taken throughout the entire execution of an AI agent.
According to experts, Norwegian organisations should specifically:
- Confirm that Flex Routing is disabled in their own Microsoft tenants
- Assess whether the Anthropic integration in Copilot is compatible with their own GDPR requirements
- Use specific Azure AI configurations with the Data Zone SKU if strict EU residency is required
- Maintain ongoing oversight of Microsoft's subprocessor list, which is subject to change
Source Digi.no emphasises that Microsoft's change has already been rolled out, and that the responsibility for ensuring correct configuration rests largely with customers themselves.
