European Digital Sovereignty Incidents 2018-2026: Complete Catalog

Quick answer: This catalog tracks 39 publicly documented European digital sovereignty incidents and policy events from 2015 to May 2026, anchored on the post-GDPR period: US legal demands reaching European data, OFAC sanctions on European officials, US visa bans on European figures, forced corporate acquisitions of European critical IT, and the CJEU rulings that frame the legal exposure. Every entry is verified against at least two independent public sources and licensed under CC BY 4.0 for free citation and reuse.

European digital sovereignty stopped being abstract on 21 May 2026, when Vrij Nederland reported that Microsoft had transmitted internal documents containing the unredacted names of Dutch civil servants enforcing the Digital Services Act to the US House Judiciary Committee. The Dutch state secretary for Digital Economy and Sovereignty summoned the US ambassador. Other US tech firms had reportedly done the same.

That incident did not happen in isolation. Since the General Data Protection Regulation entered into force on 25 May 2018, dozens of separate public cases have documented the legal exposure of European data, officials, and institutions to US authority: through the CLOUD Act, through Congressional subpoena power, through OFAC and State Department designations, through forced corporate ownership changes, and through the slow legal collision between EU data protection law and US national-security frameworks.

This catalog aggregates every such case we could verify against at least two independent public sources. It is intended as a citable reference document for journalists, regulators, academics, and procurement officers who need one place to find these incidents instead of reconstructing them story by story. The companion piece What Is Digital Sovereignty? covers the conceptual framework. This one is the receipts.

For the broader regulatory side (€5.8 billion in GDPR fines since 2018, country-by-country breakdowns, violation categories), see GDPR Enforcement Statistics 2018-2025, our companion data asset.

Key takeaways

• 39 documented incidents and policy events from 2015 to May 2026, anchored on the post-GDPR period.
• At least 2 EU nationals are currently on the OFAC SDN list: Slovenian judge Beti Hohler (designated 5 June 2025) and French judge Nicolas Guillou (designated 20 August 2025), both under Executive Order 14203.
• The largest single fine grounded in US-transfer concerns is the €1.2 billion DPC penalty against Meta Ireland (22 May 2023), following the Schrems II ruling.
• The clearest contemporary case is Microsoft's May 2026 disclosure of Dutch ACM and AP staff names to the House Judiciary Committee under US Congressional subpoena power.
• Microsoft's own H2 2025 transparency report confirms the operational reality: the company "provided content data to U.S. law enforcement related to 3 non-U.S. enterprise customers whose data was stored outside the U.S." Of those, one was in the EU/EFTA region (the 27 EU member states or one of the four EFTA states: Iceland, Liechtenstein, Norway, Switzerland).

Mar 2018

CLOUD Act enacted

US confirms its warrants reach data held by US companies regardless of where it is stored.

Jul 2020

Schrems II

The CJEU invalidates the EU-US Privacy Shield over US surveillance law.

Sep 2020

First ICC sanctions (EO 13928)

The first Trump administration sanctions ICC officials; revoked by the Biden administration in April 2021.

May 2023

Meta fined €1.2 billion

The Irish DPC penalises Meta for transferring European data to the US after Schrems II.

Jul 2023

Data Privacy Framework adopted

The European Commission adopts the EU-US DPF adequacy decision. It is later challenged.

Mar 2024

EDPS rules against the Commission

The European Data Protection Supervisor finds the Commission's own use of Microsoft 365 unlawful.

Apr 2024

FISA Section 702 reauthorised

The RISAA extends the core US surveillance statute for two years (sunset April 2026).

Feb 2025

EO 14203 + overseas-fines memo

The second Trump administration renews ICC sanctions and orders scrutiny of the DSA, DMA, and digital-services taxes.

Jun-Aug 2025

EU-national judges OFAC-listed

Slovenian judge Beti Hohler and French judge Nicolas Guillou are added to the OFAC SDN list under EO 14203.

Nov 2025

Kyndryl moves on Solvinity

US-listed Kyndryl announces intent to acquire Solvinity, the Dutch host of national digital identity system DigiD.

Dec 2025

US visa bans on European figures

Former Commissioner Thierry Breton and four civil-society leaders are barred over alleged "censorship" of US platforms.

May 2026

Microsoft names Dutch officials

Microsoft hands the US House Judiciary Committee internal documents naming Dutch DSA-enforcement staff.

These are distinct milestone events, not a count of incidents. Grey markers are legal-framework changes; blue markers are specific compulsion, sanction, or acquisition events. The full 39-entry catalog and downloadable dataset are below.

Table of contents

1. Methodology and scope
2. The legal framework
3. US Congressional and DOJ legal demands for European data
4. OFAC sanctions on individuals connected to European or international institutions
5. US State Department visa bans on European figures
6. DPA enforcement actions explicitly grounded in US-transfer concerns
7. National DPA findings and policy frameworks targeting US cloud risk
8. Forced acquisitions and ownership-change exposure
9. Public-sector dependency markers
10. How to cite this catalog
11. Download the dataset
12. Sources

---

Methodology and scope

Two-source rule. Every catalogued incident has at least two independent public sources. At least one must be primary (court ruling, government press release, executive order, official agency document, or company filing) or a tier-1 outlet's named reporting of one. The second is a corroborating source. Single-source incidents are excluded.

Confidence tagging. Each entry carries a confidence level. High means two or more primary or tier-1 sources with no contradictions. Medium means one primary plus reasonable tier-1 corroboration with no contradictions. Low-confidence entries are excluded from the published dataset.

Exact-quote evidence. Any non-trivial claim (ownership, legal status, fine amount, designation date) is traceable to a specific URL with the exact phrasing the source uses. The article body paraphrases for readability; the source footnotes carry the operative quotes.

Scope: only incidents affecting European data, officials, or institutions. Out of scope: US-side enforcement against US persons; FBI National Security Letters served on US-domiciled entities; criminal investigations where the European angle is incidental.

Time window: anchored on the post-GDPR period (25 May 2018 onward), with three foundational predecessors. The catalog's focus is the period since GDPR took effect, but it includes three earlier legal-framework events that define the entire exposure surface: Schrems I (2015), the CLOUD Act (March 2018), and the Microsoft Ireland warrant case (April 2018). These three are counted in the dataset because the later incidents are unintelligible without them.

Tier-1 source whitelist for press citations. Reuters, AP, AFP, Bloomberg, Financial Times, New York Times, Washington Post, Politico Europe, Euractiv, NRC Handelsblad, Le Monde, FAZ, El País, Vrij Nederland, NOS, plus the relevant national DPA press releases and EU institution channels.

Living document. Every entry has an internal last_verified_at date. The "Last Updated" header in this article reflects the most recent verification pass, not the original publish date. New incidents are added quarterly.

---

The legal framework

These are the operative legal mechanisms used to reach European data, officials, and institutions. They are not "incidents" in themselves but they define the exposure surface that every subsequent case in this catalog exploits.

CLOUD Act vs Congressional subpoena power, in 60 words

The CLOUD Act amends the US Stored Communications Act to confirm that US-headquartered companies must produce data regardless of where it is stored. Congressional subpoena power is separate and broader: when a House or Senate committee opens an investigation, it can compel any US company to produce internal documents, including emails and meeting invitations naming foreign officials. Both mechanisms reached European data in publicly documented cases in 2025-2026: the CLOUD Act in Microsoft's own H2 2025 disclosure, Congressional subpoena power in the Microsoft-Dutch case.

The five mechanisms, at a glance

US power reaches European data, officials, and institutions through five distinct legal channels. Each row below is documented in detail later in this catalog.

CLOUD Act enactment (23 March 2018). The Clarifying Lawful Overseas Use of Data Act was enacted as Division V of the Consolidated Appropriations Act, 2018, Public Law 115-141. The law amended 18 U.S.C. § 2713 to clarify that US warrants reach data "regardless of whether such communication, record, or other information is located within or outside of the United States."

Microsoft v. United States (the Microsoft Ireland warrant case). The US Supreme Court vacated the case as moot on 17 April 2018, four weeks after the CLOUD Act passed, on the grounds that the new statute resolved the underlying dispute. Docket No. 17-2, 138 S. Ct. 1186 (2018). The case was the immediate political trigger for the CLOUD Act.

Schrems I (Case C-362/14, decided 6 October 2015). The Court of Justice of the European Union invalidated Commission Decision 2000/520/EC, the Safe Harbor framework, holding that it did not provide an essentially equivalent level of protection for EU personal data transferred to the United States.

Schrems II (Case C-311/18, decided 16 July 2020). The CJEU invalidated Commission Implementing Decision (EU) 2016/1250 (the EU-US Privacy Shield), again on the grounds that US surveillance law did not provide essentially equivalent protection. Standard Contractual Clauses were preserved but with case-by-case assessment requirements.

FISA Section 702 reauthorisation (20 April 2024). The surveillance authority at the centre of the Schrems rulings, Section 702 of the Foreign Intelligence Surveillance Act, was reauthorised for two years by the Reforming Intelligence and Securing America Act (H.R.7888, 118th Congress), with a sunset in April 2026. Section 702 is the statute that allows US agencies to compel US electronic-communications providers to hand over the communications of non-US persons, and it is the core reason the CJEU has twice found US protection inadequate for European data. Its continuation keeps the underlying conflict live regardless of which data-transfer framework is in place.

EU-US Data Privacy Framework adequacy decision (10 July 2023). Commission Implementing Decision (EU) 2023/1795 determined that the United States ensures an adequate level of protection for personal data transferred under the new framework. The decision has been challenged.

Latombe v Commission (Case T-553/23). French National Assembly member Philippe Latombe (Modem, Vendée's 1st constituency) filed the first annulment action against the Data Privacy Framework adequacy decision in September 2023, acting in his personal capacity rather than as a Member of the European Parliament. The General Court dismissed the action on 3 September 2024. The framework remains in force.

---

US Congressional and DOJ legal demands for European data

Microsoft → US House Judiciary Committee disclosure of Dutch civil servants (May 2026)

Date: Reported 21 May 2026 by Vrij Nederland. Confidence: high.

Microsoft handed the US House Judiciary Committee internal documents containing the unredacted names of Dutch civil servants enforcing the Digital Services Act, including staff of the Autoriteit Consument en Markt (ACM, the Dutch competition authority) and the Autoriteit Persoonsgegevens (AP, the Dutch data protection authority). University of Amsterdam political scientist Claes de Vreese was also named.

The recipient committee is investigating European platform regulation as alleged "tech censorship" of American companies. Microsoft was legally required to comply with the subpoena. The Dutch State Secretary for Digital Economy and Sovereignty, Willemijn Aerdts (D66), called the disclosure "extremely concerning" and summoned the US ambassador.

Operative quote (Aerdts, ahead of the Dutch cabinet meeting): "If there are discussions about policy, you have those with us, not over the backs of civil servants."

Other US tech firms reportedly received similar requests. Sources: Vrij Nederland; NOS; NL Times.

Microsoft H2 2025 transparency report: EU/EFTA enterprise data disclosure

Date: Reporting period July to December 2025; report published 2026. Confidence: high.

Microsoft's own Law Enforcement Requests Report for H2 2025 discloses: "Microsoft provided content data to U.S. law enforcement related to 3 non-U.S. enterprise customers whose data was stored outside the U.S. One of the 3 customers was located in the EU/EFTA."

This is Microsoft confirming, against itself, that the CLOUD Act has been operationally invoked to compel disclosure of European enterprise customer data physically stored outside the United States during the reporting period.

Aggregate transparency report volumes

Microsoft, Google, Apple, Meta, and AWS all publish periodic transparency reports of government data requests broken down by country. The reports document two distinct flows: requests received from each country's own authorities, and (less commonly disclosed) onward production of foreign customer data to US law enforcement. Direction matters; readers chasing CLOUD Act exposure should focus on the latter category, which is what Microsoft's H2 2025 disclosure quoted above made explicit. v1.0 of this catalog includes the Microsoft H2 2025 disclosure under incident_type=transparency_report_aggregate. Future quarterly updates will add per-vendor per-year aggregate rows as each provider publishes its next reporting period.

---

OFAC sanctions on individuals connected to European or international institutions

Trump-I sanctions on ICC officials (2020-2021)

Date: Executive Order signed 11 June 2020; designations 2 September 2020; revoked 1 April 2021. Confidence: high.

Executive Order 13928 "Blocking Property of Certain Persons Associated with the International Criminal Court" was signed in response to the International Criminal Court (ICC) Prosecutor's investigation into actions allegedly committed by US personnel in or relating to Afghanistan. Two ICC officials were designated on 2 September 2020: Fatou Bensouda (then-Chief Prosecutor, Gambian national) and Phakiso Mochochoko (Head of the Jurisdiction, Complementarity and Cooperation Division, Lesotho national). Neither was an EU national. The Biden administration revoked the program on 1 April 2021.

Trump-II sanctions on ICC officials (2025-2026, ongoing)

Date: Executive Order 14203 signed 6 February 2025; designations rolling through 2025-2026. Confidence: high.

Executive Order 14203 "Imposing Sanctions on the International Criminal Court" was signed by President Trump on 6 February 2025. Subsequent OFAC designations have placed at least 12 individuals on the Specially Designated Nationals (SDN) list. Two of those individuals are EU citizens designated for performing official duties as ICC judges:

• Beti Hohler (Slovenia), designated 5 June 2025.
• Nicolas Guillou (France), designated 20 August 2025.

Other designations include ICC Prosecutor Karim Khan (United Kingdom, 13 February 2025), UN Special Rapporteur Francesca Albanese (9 July 2025), and judges from Benin, Canada, Fiji, Peru, Senegal, and Uganda, with further designations in September and December 2025.

This is the cleanest existing precedent of EU citizens being directly OFAC-sanctioned for performing official international duties. The European Commission, the German Federal Foreign Office, and the French Ministry of Europe and Foreign Affairs have all publicly condemned the designations. Sources: White House; US Department of State; ICC press releases.

---

US State Department visa bans on European figures

Breton and four civil-society leaders (December 2025)

Date: Announced 23 December 2025. Confidence: high.

The US State Department imposed visa restrictions on five individuals identified by Secretary of State Marco Rubio as having engaged in what he described as "extraterritorial censorship" of American platforms:

• Thierry Breton, former EU Internal Market Commissioner (2019-2024) and lead architect of the Digital Services Act.
• Imran Ahmed, founder of the Center for Countering Digital Hate (CCDH).
• Josephine Ballon and Anna-Lena von Hodenberg, executives of the German non-profit HateAid.
• Clare Melford, co-founder of the Global Disinformation Index.

This is a US State Department consular action under Section 212(a)(3)(C) of the Immigration and Nationality Act, not an OFAC sanction. Breton publicly characterised the ban as a "witch hunt." Sources: Al Jazeera; CNBC; Euronews.

Important clarification: Margrethe Vestager (former Competition Commissioner) has not been sanctioned or visa-restricted. Public claims to the contrary are not supported by any tier-1 source.

The visa bans did not arrive in isolation. On 21 February 2025, the White House issued a presidential memorandum, "Defending American Companies and Innovators From Overseas Extortion and Unfair Fines and Penalties," directing US agencies to scrutinise the Digital Markets Act, the Digital Services Act, and foreign digital-services taxes, and to prepare responses to regulation the administration characterises as targeting American companies. The Breton visa ban is best read as one expression of that broader posture rather than a standalone act. Sources: White House; Skadden analysis.

---

DPA enforcement actions explicitly grounded in US-transfer concerns

DPC v Meta Ireland: €1.2 billion fine (May 2023)

Date: EDPB binding decision 13 April 2023; DPC announcement 22 May 2023. Confidence: high.

The Irish Data Protection Commission imposed a €1.2 billion fine on Meta Platforms Ireland for transfers of personal data to the United States on the basis of Standard Contractual Clauses subsequent to the Schrems II ruling. The EDPB found that the infringement was "very serious since it concerns transfers that are systematic, repetitive and continuous." Meta was ordered to "cease the unlawful processing, including storage, in the U.S. of personal data of European users transferred in violation of the GDPR, within 6 months."

This is the single largest fine to date that explicitly grounds in US-transfer exposure rather than in domestic European processing failures. Source: European Data Protection Board.

Note: the DPC's separate €405 million Instagram fine of 2 September 2022 concerned children's data and transparency, not US-transfer concerns, and is not catalogued here as a transfer case. It appears in the GDPR Enforcement Statistics companion data asset.

---

National DPA findings and policy frameworks targeting US cloud risk

Netherlands SLM Rijk Microsoft 365 DPIAs (2018-2024, ongoing)

Dates: Multiple rounds: 2018/2019 (initial M365 negotiations), 2021 (telemetry updates), February 2022 (Teams / OneDrive / SharePoint), December 2024 (Microsoft 365 Copilot). Confidence: high.

The Dutch government's strategic supplier management body, SLM Rijk, has commissioned successive Data Protection Impact Assessments through Privacy Company on its use of Microsoft cloud services. The February 2022 DPIA on Teams, OneDrive, and SharePoint Online concluded that "organisations should not use these cloud services to exchange or store sensitive and special categories of personal data" unless encrypted with self-controlled keys, citing "possible access to those data from the United States."

The December 2024 Microsoft 365 Copilot DPIA, conducted jointly with research-network operator SURF, found four "high risks" in the Copilot product. SURF subsequently advised the Dutch educational sector to adopt a "cautious approach" but stopped short of advising against use entirely. The Dutch government continued using Microsoft 365 under conditional mitigations rather than substituting it.

Sources: Privacy Company DPIA archive; Dutch government published reports.

EDPS finding on European Commission's Microsoft 365 use (March 2024)

Date: Decision 8 March 2024. Confidence: high.

The European Data Protection Supervisor found that the European Commission's own use of Microsoft 365 "failed to provide appropriate safeguards to ensure that personal data transferred outside the EU/EEA are afforded an essentially equivalent level of protection," and that in its contract with Microsoft "the Commission did not sufficiently specify what types of personal data are to be collected and for which explicit and specified purposes."

EDPS Supervisor Wojciech Wiewiórowski stated: "It is the responsibility of the EU institutions and bodies to ensure that any processing of personal data outside and inside the EU is accompanied by robust data protection safeguards."

The decision applies Regulation (EU) 2018/1725 (the EU-institutions equivalent of GDPR). The Commission was ordered to suspend non-adequacy-covered transfers by 9 December 2024. The EDPS closed enforcement proceedings in 2025 after the Commission demonstrated remediation. Source: EDPS press release.

Italian Garante OpenAI / ChatGPT provisional restriction (March 2023)

Date: Provisional restriction 30 March 2023; lifted 28 April 2023; separate €15 million fine December 2024. Confidence: high.

The Italian data protection authority (Garante per la protezione dei dati personali) issued a provisional limitation on processing of personal data of Italian individuals by OpenAI's ChatGPT service, citing "the absence of adequate legal basis in relation to the collection of personal data and their processing for the purpose of training the algorithms underlying ChatGPT's functioning," and "the absence of any mechanism for verifying the age of users."

OpenAI implemented requested measures and the restriction was lifted on 28 April 2023. A separate €15 million administrative fine followed in December 2024. Source: Garante per la protezione dei dati personali, Provvedimento n. 112 of 30 March 2023.

French ANSSI SecNumCloud framework

Date: Framework versions iterated 2016 through v3.2 (March 2022); Cloud au Centre doctrine made SecNumCloud mandatory for sensitive French public-sector data in 2023. Confidence: medium.

SecNumCloud is the qualification framework administered by France's national cybersecurity agency ANSSI (Agence nationale de la sécurité des systèmes d'information) for sovereign cloud providers. Current SecNumCloud requirements include localising all customer and technical data in the EU, ensuring all system support is conducted within the EU by EU-based personnel, and restricting non-EU shareholders to below 25 percent individually and 39 percent collectively, with no veto rights or majority board control.

Currently qualified providers include OVHcloud, Outscale (Dassault Systèmes), Oodrive, Cloud Temple, Numspot, Worldline, and Scaleway's dedicated IaaS, among approximately nine total. This is a regulatory pre-emption framework rather than a single incident; it is included for completeness.

---

Forced acquisitions and ownership-change exposure

Kyndryl acquisition of Solvinity (DigiD hosting, 2025-2026, pending)

Date: Announced November 2025; pending Dutch national-security review (BTI); Tweede Kamer motion 22 April 2026; court ruling on contract extension 6 May 2026. Confidence: high.

Solvinity is the Dutch IT provider that hosts DigiD, the national digital identity system used by essentially every resident of the Netherlands to access government services. In November 2025, Kyndryl (NYSE: KD, a former IBM spin-off headquartered in New York) announced its intent to acquire Solvinity. If completed, the acquisition would place Solvinity under US legal compulsion frameworks including the CLOUD Act.

Pieter van Oordt, senior privacy advisor at Logius (the Dutch government agency managing DigiD), warned that a "Kyndryl takeover would put the personal data of almost everyone in the Netherlands within reach of the US government, which could also cut off Dutch access to DigiD."

A public petition gathered approximately 140,000 signatures opposing the deal. On 22 April 2026, the Tweede Kamer passed a motion by majority calling on the government not to renew the DigiD hosting contract with Solvinity in 2028 if the acquisition proceeds. On 6 May 2026, a Dutch court allowed the government to extend the existing contract pending the acquisition's national-security review. Three separate lawsuits against the deal have been filed.

The acquisition is the clearest pending case in this catalog. Whether it completes will shape Dutch sovereignty policy for the rest of the decade. Sources: DutchNews; NL Times.

---

Public-sector dependency markers

These are not adversarial events but they are the procurement decisions that determine the size of the exposure surface. They are included here because European sovereignty journalism keeps returning to them.

Belastingdienst (Dutch Tax Administration) Microsoft 365 transition

Date: Workstation modernisation began 2021 (replacing HCL Notes); parliamentary objections October 2025; State Secretary Heijnen confirmed continuation December 2025; M365 migration year 2026. Confidence: high.

The Dutch Tax Administration is in the process of migrating its office productivity stack to Microsoft 365, with Azure as the underlying cloud, replacing its previous HCL Notes deployment. State Secretary for Finance Eugène Heijnen stated in a parliamentary response that there is "geen geschikt Europees alternatief voor de situatie waarin de fiscus zich nu bevindt" (no suitable European alternative for the situation the Tax Authority currently finds itself in).

Parliamentary questions were filed by Hanneke van der Werf (D66), Barbara Kathmann (GroenLinks-PvdA), and Jesse Six Dijkstra (NSC) requesting that the transition be halted in favour of European alternatives. The government's response committed to a confidential two-scenario exit strategy (planned and acute / geopolitical) shared with Parliament, and to a nine-month data-portability window under the Microsoft contract.

The decision proceeded despite the objections. Sources: Tweede Kamer document 2025Z18778; Computable.

---

How to cite this catalog

Quick citation

BuiltInEu Research Team (2026). European Digital Sovereignty Incidents 2018-2026: Complete Catalog. Retrieved from https://builtineu.eu/blog/european-digital-sovereignty-incidents-2018-2026

Academic citation (APA 7th edition)

BuiltInEu Research Team. (2026, May 22). European digital sovereignty incidents 2018-2026: Complete catalog. BuiltInEu. https://builtineu.eu/blog/european-digital-sovereignty-incidents-2018-2026

News and editorial citation

According to a catalog maintained by BuiltInEu, at least 39 publicly documented European digital sovereignty incidents and policy events have been recorded from 2015 to May 2026, including the OFAC sanctioning of two EU national ICC judges under Executive Order 14203 (source).

License: Creative Commons Attribution 4.0 International (CC BY 4.0). You may reuse, redistribute, and adapt this catalog and its underlying dataset, including for commercial purposes, with attribution.

---

Download the dataset

Complete catalog available in machine-readable formats:

• CSV download
• JSON download

Dataset columns: id, date_iso, incident_type, country, vendor_or_actor, mechanism, summary, source_1_url, source_2_url, source_type_1, source_type_2, confidence, last_verified_at.

---

Sources

Primary government and institutional sources:

1. US Congress: Public Law 115-141, CLOUD Act Division V
2. US Federal Register: EO 13928 (ICC sanctions, 2020)
3. White House: EO 14203 (ICC sanctions, 2025)
4. US Department of State: June 2025 ICC judges sanctions announcement
5. US Treasury OFAC: Termination of ICC sanctions program, April 2021
6. CJEU: Case C-362/14 (Schrems I), curia.europa.eu
7. CJEU: Case C-311/18 (Schrems II), curia.europa.eu
8. CJEU: Case T-553/23 (Latombe v Commission), curia.europa.eu
9. European Commission: Adequacy decisions overview
10. European Commission: Implementing Decision (EU) 2023/1795 (EU-US DPF)
11. European Data Protection Board: Meta €1.2bn fine announcement
12. European Data Protection Supervisor: Commission M365 decision, 2024
13. Garante per la protezione dei dati personali: Provvedimento n. 112, 30 March 2023
14. Autoriteit Consument en Markt: acm.nl
15. Autoriteit Persoonsgegevens: autoriteitpersoonsgegevens.nl
16. Privacy Company: DPIA archive
17. Microsoft Corporation: Law Enforcement Requests Report
18. ANSSI: SecNumCloud framework
19. Rijksoverheid: SLM Rijk Microsoft 365 Copilot DPIA, December 2024
20. US Congress: H.R.7888, Reforming Intelligence and Securing America Act (FISA 702 reauthorisation, 2024)
21. Brennan Center for Justice: FISA Section 702 resource page
22. White House: Memorandum, "Defending American Companies and Innovators From Overseas Extortion and Unfair Fines and Penalties" (21 February 2025)

Tier-1 press citations:

23. Vrij Nederland: Microsoft Dutch civil servants investigation, 21 May 2026
24. NOS: Coverage of Microsoft-Dutch case
25. Binnenlands Bestuur: Coverage of Microsoft-Dutch case, 22 May 2026
26. Villamedia / ANP: Coverage of Microsoft-Dutch case, 22 May 2026
27. Al Jazeera: US visa bans on European figures, 24 December 2025
28. CNBC: Breton visa ban coverage, 24 December 2025
29. Euronews: Europe defends digital rules, 24 December 2025
30. DutchNews: Solvinity DigiD coverage, April 2026
31. NL Times: Solvinity court ruling, May 2026
32. Computable: Belastingdienst M365 transition, December 2025

Legal and policy analysis:

33. Skadden Arps: Trump 2025 digital services taxes memorandum
34. Human Rights Watch: ICC sanctions analysis, 2020 and 2025
35. EDRi: Coverage of US Congressional probes into European tech regulation

---

If you find an incident missing from this catalog that meets the two-source rule, contact info@builtineu.eu. The next quarterly update is scheduled for Q3 2026.

Companion data: GDPR Enforcement Statistics 2018-2025, What Is Digital Sovereignty?, The European SaaS Stack 2026.

Practical European substitutes for the US-headquartered services exposed in this catalog: Proton Mail, Tresorit, Nextcloud, Hetzner, Mistral, Infomaniak kDrive. Browse the full directory at /alternatives/microsoft-365 and /categories/cloud-storage.