The authority gap in Microsoft 365 for public sector and defense organizations

Microsoft 365 has become a foundational collaboration platform for governments, defense organizations, and regulated public-sector bodies across Europe. Its security architecture is mature, extensively certified, and continuously improved.

Yet, as adoption deepens into high-sensitivity workloads, a structural question remains insufficiently addressed:

This paper explains why this question sits outside the scope of encryption alone, why it is not a failure of Microsoft 365, and why public-sector and defense organizations increasingly need a jurisdiction-bound governance layer to complement existing cloud security controls.

What Microsoft 365 does well, and intentionally so

Microsoft 365 is designed to operate at global scale, across thousands of regulatory environments. Its strengths are well known:

• encryption at rest and in transit

• strong identity and access management

• comprehensive compliance certifications

• continuous security monitoring and incident response

• mature operational processes

For most workloads, these capabilities are more than sufficient.

Importantly, Microsoft 365 is not designed to arbitrate conflicts of law between jurisdictions, nor to assume legal responsibility for refusing access requests on behalf of sovereign entities. That boundary is intentional and necessary for a global platform.

Where encryption stops answering the hard questions

Public-sector and defense organizations often rely on key-centric models such as:

• Bring Your Own Key (BYOK)

• Hold Your Own Key (HYOK)

• customer-managed encryption keys

These approaches significantly strengthen cryptographic control and reduce risk.

However, they primarily answer one question:

They do not fully answer:

• Who decides whether access should occur

• under which legal authority

• how refusals are enforced

• how those decisions are proven after the fact

Encryption protects data. Governance determines authority.

The authority gap in regulated and defense contexts

In highly regulated environments — such as national administrations, critical infrastructure operators, or defense organizations — the most sensitive scenarios are rarely “normal access.”

They are exception scenarios:

• internal investigations

• emergency access requests

• cross-border legal pressure

• intelligence or defense-related inquiries

• post-incident audits

In these cases, the hardest operational task is not granting access. It is refusing access — and proving that refusal was lawful, deliberate, and enforced.

This is the authority gap:

Why this is not a Microsoft problem to solve

It is tempting to frame this gap as a platform weakness. It is not.

For a global provider like Microsoft, assuming jurisdiction-specific authority would mean:

• arbitrating between conflicting national laws

• taking legal responsibility for sovereign refusals

• embedding local governance logic into a global service

This would be legally, politically, and commercially untenable.

The absence of jurisdiction-bound authority in Microsoft 365 is therefore a design boundary, not an oversight.

Why public sector and defense organizations feel this gap first

Organizations such as the Swiss Armed Forces or industrial defense actors like Airbus operate under:

• strict national secrecy obligations

• defense-specific legal frameworks

• heightened scrutiny from oversight bodies

• long-term accountability requirements

For these actors, being able to say “data is encrypted” is not sufficient.

They must also be able to say:

• who had the authority to approve or refuse access

• under which jurisdictional framework

• with which independent controls

• and with what verifiable evidence

A governance-layer approach

One emerging approach is to introduce a governance layer above cloud security, without altering where applications or data reside.

Conceptually, such a layer would:

• ensure selected repositories store ciphertext only by default

• require explicit, jurisdiction-bound authorization for any exceptional access

• separate execution (cloud operations) from authority (legal governance)

• treat refusal as a first-class, enforceable outcome

• generate durable, auditable evidence for regulators and oversight bodies

Crucially, this approach does not replace Microsoft 365. It complements it by handling what global platforms cannot reasonably own: local authority and legal accountability.

From SECURITY to GOVERNABILITY

Public-sector cloud adoption is no longer blocked by encryption or technical security. It is increasingly constrained by governability:

• the ability to decide under pressure

• to refuse when required

• and to demonstrate that those decisions were enforced

As cloud platforms continue to mature, governance — not encryption — becomes the differentiator for high-sensitivity public and defense workloads.

Microsoft 365 remains a powerful and secure foundation for public-sector collaboration.The remaining challenge is not security, but jurisdiction-bound authority over exceptional access.

Addressing this challenge does not require moving data, fragmenting platforms, or weakening cloud ecosystems. It requires acknowledging a clear boundary — and complementing it with governance designed for sovereign responsibility.