I keep telling people that where your data lives matters more than how well it's locked. The importance of building a sovereign stack over the next few year is going to become very clear, very quickly.

The Dutch story this week is one of lawful disclosure. Nobody broke in. No password was guessed and no server was breached.

Microsoft, according to Dutch reporting, simply handed over the names of civil servants to the US House of Representatives because American law told it to.

That is worth sitting with. The company trusted to hold the data disclosed it lawfully.

Here is what happened, as far as we know. Microsoft reportedly shared emails, minutes, and meeting invitations belonging to staff at two Dutch regulators, the Authority for Consumers and Markets and the Dutch Data Protection Authority. The names in those documents were not redacted.

The civil servants involved were working on the Digital Services Act, the European law that makes online platforms act against illegal content, child sexual abuse material, and disinformation. The US government regards that law as a form of censorship. So you have European officials doing their jobs, enforcing European rules, and their names ending up in front of American lawmakers who object to those rules.

The mechanism is a piece of American legislation called the Cloud Act. In plain terms, it means that if a company is American, the US government can compel it to hand over data the company holds, even when that data sits on servers in another country and belongs to people who are not American.

This kind of law and action is exactly why the USA said they could not have TikTok user data on Chinese servers as similar laws exist.

You do not get a say. The Dutch government did not get a say.

As State Secretary Willemijn Aerdts told Dutch press, "If you have a problem, you fight it out with us or, if necessary, in Europe, but not against the backs of civil servants." Her colleague Eric van der Burg said he was concerned that Microsoft had simply shared the names, though he wants to understand exactly how and in which documents before drawing firm conclusions.

I want to be fair to Microsoft here, because the framing of "leak" does a lot of work. A leak implies negligence or malice. What seems to have happened is compliance. The company was likely following a legal obligation it could not refuse without breaking American law.

That is precisely why this should worry leaders even more.

A mistake can be fixed with better security. A structural obligation cannot be patched. It is baked into the relationship the moment you choose the vendor.

For anyone running an organisation, this reframes a question most procurement teams never properly ask. We tend to evaluate cloud providers on uptime, encryption, certifications, and price.

These things are important. But they answer the question "how well is my data protected from people who should not have it?" The Dutch case asks a different question: "who can lawfully demand my data, and under whose laws?"

Those are not the same question, and the second one rarely makes it onto the scorecard.

This is why the Netherlands is now talking openly about digital sovereignty, the idea that a country should not depend so heavily on foreign technology companies that it loses control over its own information. Both Aerdts and Van der Burg were honest that this takes years rather than months. You cannot rip out the software running a government in a weekend. That honesty matters, because the temptation after a story like this is to announce a bold pivot and carry on as before.

There is a quieter lesson for those of us who advise organisations on technology. Trust in a system includes trust in the engineering, but also trust in the jurisdiction, the incentives, and the laws that sit behind the engineering.

A tool can be technically excellent and still expose you, because the values and legal obligations of whoever built it travel with it. That is true of cloud storage, and it is increasingly true of the AI services many organisations are rushing to adopt, often hosted by the same handful of American firms.

One thing worth doing this quarter: take your three most sensitive data flows and, for each one, write down which country's government could lawfully compel access. The question is who can ask, and under whose law, rather than how secure it is. If you cannot answer for all three, you have found your starting point.