Loading the catalogue…
Loading the catalogue…
Microsoft is a US-domiciled, publicly listed technology company and one of the world's largest AI model producers, giving EU regulated-sector customers both extensive compliance tooling and an irreducible CLOUD Act and FISA Section 702 exposure that the EU Data Boundary reduces but cannot eliminate. The Phi model family — spanning Phi-4, Phi-4-reasoning, Phi-4-multimodal, and Phi-4-mini — is released under the permissive MIT licence with detailed model cards, data-summary cards, and pre-deployment red-teaming results, enabling fully sovereign self-hosting within EEA infrastructure. The company holds ISO 27001, SOC 2 Type 2, and numerous sector certifications, has a dedicated EU AI Act Trust Center page, and signed the full GPAI Code of Practice in August 2025, but a 2024 US Cyber Safety Review Board finding of 'inadequate' security culture and record-high critical CVE counts in 2025 remain material concerns for EU regulated-sector customers.
Microsoft is a US-incorporated entity fully subject to the CLOUD Act and FISA Section 702. US authorities can compel disclosure of data held anywhere globally, including EU data centres. The EU Data Boundary delivers data residency but not legal sovereignty — OVHcloud and multiple European analysts have confirmed this distinction publicly. EU regulated-sector customers (especially in finance, healthcare, and government) must account for this residual legal risk in DPIAs.
The US Cyber Safety Review Board (April 2024) found Microsoft's security culture 'inadequate' following the Storm-0558 intrusion (2023), concluding the breach 'should never have happened' due to 'a cascade of security failures'. A second state-actor breach (APT29/Midnight Blizzard) occurred in January 2024. Critical CVEs doubled year-on-year in 2025 (78 → 157) per the BeyondTrust 2026 Microsoft Vulnerabilities Report, reversing a multi-year downward trend.
A ProPublica investigation (July 2025) reported that Microsoft employs engineers in China with access to sensitive US government systems, supervised by American 'digital escorts' with limited technical experience. This raises supply-chain security concerns for EU regulated-sector customers, particularly in government and defence-adjacent sectors.
A critical SharePoint Server zero-day (unauthenticated remote code execution) was actively exploited in July 2025, impacting US federal and state agencies, universities, and businesses globally. A critical Entra ID flaw (CVE-2025-55241) allowing cross-tenant token forgery was also patched in July 2025.
The CSRB criticised Microsoft for failing to correct inaccurate public statements about the Storm-0558 root cause for approximately six months after internally acknowledging the error. This transparency and accountability failure is relevant for EU regulated-sector customers assessing vendor incident response trustworthiness.
Microsoft's own EU Data Boundary FAQs acknowledge that customers cannot opt out of limited and necessary cross-border transfers for global cybersecurity purposes. Compliance officers must verify whether these residual transfers are compatible with their organisation's GDPR obligations and sector-specific regulations.
Microsoft's EU AI Act compliance posture is self-declared and still maturing. The company notes that key implementation details of the Act are not yet finalised and that additional information and tools will be published on an ongoing basis. Customers should monitor the Trust Center page for updates ahead of the August 2026 full enforcement date.
Stav AI Act assessment
Editorial assessment, not legal advice. Stav's risk ratings, scores, and verdicts are our own analysis of publicly available information and may be incomplete or out of date. Verify independently before making compliance or procurement decisions.
Microsoft completed its three-phase EU Data Boundary in February 2025, ensuring customer data and pseudonymised personal data for M365, Azure, Dynamics 365, and Power Platform is stored and processed within EU/EFTA regions. A June 2025 extension committed to full EU-resident staff management of EU cloud operations with tamper-evident access logging — the most comprehensive EU data localisation offering among hyperscale cloud providers.
Microsoft signed the full GPAI Code of Practice in August 2025 (all chapters, including safety, security, and transparency obligations), has a dedicated EU AI Act Trust Center page (confirmed live June 2026), published a January 2025 compliance overview, and operates cross-functional AI governance working groups — among the strongest EU AI Act compliance postures from any major model producer.
Microsoft holds ISO/IEC 27001 (2022 edition), ISO 27017, ISO 27018, ISO 27701, SOC 2 Type 2, SOC 1, SOC 3, HITRUST CSF, and FedRAMP certifications across its core cloud estate — with annual independent third-party audits. Audit reports are publicly available via the Service Trust Portal.
All Phi open-weights models are released with detailed HuggingFace model cards, data summary cards (describing training data composition and methodology), technical reports, and pre-deployment red-teaming and safety evaluation disclosures. The Phi-4-reasoning technical report (March 2026) provides extensive detail on training data curation for reasoning models. The 2025 Responsible AI Transparency Report is publicly available.
Microsoft's Phi model family is released under the permissive MIT licence, enabling unrestricted commercial use, fine-tuning, and redistribution. As of June 2026, the family includes Phi-4-mini (4B, deployed in Microsoft Edge browser), Phi-4-multimodal (5.6B), Phi-4 (14B), Phi-4-reasoning (14B), Phi-4-reasoning-plus, and Phi-4-reasoning-vision-15B — all MIT-licenced and enabling sovereign EEA self-hosting.
Privacy policy review
Creator profile
Microsoft is a US-domiciled, publicly listed technology company and one of the world's largest AI model producers, giving EU regulated-sector customers both significant compliance tooling and an irreducible CLOUD Act exposure that the EU Data Boundary reduces but cannot eliminate. The company has published detailed EU AI Act compliance statements, signed the GPAI Code of Practice, and holds ISO 27001 / SOC 2 certifications across its core cloud estate, but a 2024 US Cyber Safety Review Board report found its security culture 'inadequate' following a series of nation-state intrusions, and the Secure Future Initiative launched in response is still maturing. Open-weights models (Phi family) are released predominantly under the permissive MIT licence with model cards and data-summary cards, while some enterprise AI offerings remain proprietary.
Stav editorial summary
Microsoft is a United States entity. Training data and weights produced under United States-jurisdiction are covered by the CLOUD Act.
Exposed on training. Inference is unaffected when hosted on Stav infrastructure inside the EEA.
Stav compliance has not yet scored Microsoft. Scores are published once the policy review and infrastructure assessment complete.
Findings
Citations gathered when the Compliance Curator last reviewed this creator’s public-facing documents. Grouped by source so the picture stays auditable.
“... We’ve long embraced responsible AI and are aligning our policies with the EU AI Act. We have dedicated working groups combining AI governance, eng...”
“In line with our goal of supporting future AI development in the community, Phi-4-reasoning-vision-15B is released under a permissive license with mod...”
The CLOUD Act allows U.S. authorities to access data stored in the EU, putting it in direct conflict with GDPR.
With US-based cloud providers legally bound by American law — including the US CLOUD Act, which allows US authorities to demand access to data held by...
To fulfill these goals, today Microsoft is announcing that it has completed the EU Data Boundary for the Microsoft Cloud, an industry-leading solution...
Q: Can customers opt out of having their data transferred outside the EU ... A: No, customers cannot opt out of limited and necessary data transfers f...
... We’ve long embraced responsible AI and are aligning our policies with the EU AI Act. We have dedicated working groups combining AI governance, eng...
August 2025: 26 major AI providers signed GPAI Code of Practice including Microsoft, Google, Amazon, OpenAI, Anthropic.
Microsoft is a well-established, publicly listed technology company with a decades-long operating history, active AI research programme (Phi model cadence from 2023 through June 2026), and demonstrated commitment to European market investment. The Microsoft Research website was last modified June 4, 2026, and the company filed its Q3 FY2026 10-Q with the SEC, confirming normal operations.
Microsoft is actively engaged with EU policymakers, contributes to the GPAI Code of Practice, participates in CEN/CENELEC technical standards development for the AI Act, operates a Transparency Centre in Brussels, and has a dedicated DORA compliance page — demonstrating sustained EU regulatory engagement beyond minimum compliance requirements.
Published safeguards & certifications
“August 2025: 26 major AI providers signed GPAI Code of Practice including Microsoft, Google, Amazon, OpenAI, Anthropic. ”
“To fulfill these goals, today Microsoft is announcing that it has completed the EU Data Boundary for the Microsoft Cloud, an industry-leading solution...”
“Q: Can customers opt out of having their data transferred outside the EU ... A: No, customers cannot opt out of limited and necessary data transfers f...”
“The CSRB concluded that "Microsoft’s security culture was inadequate and requires an overhaul," noting that Microsoft "failed to detect the compromise...”
“Prior to release, phi-4 followed a multi-faceted evaluation approach. Quantitative evaluation was conducted with multiple open-source safety benchmark...”
“Currently, both Azure Public and Azure Germany are audited once a year for ISO/IEC 27001 compliance by a third-party accredited certification body, pr...”
“Building on this achievement, Microsoft Security Copilot has already secured several other critical data protection certifications, including ISO 2700...”
“Microsoft disclosed a record 1,360 vulnerabilities in 2024 + Critical bugs dropped to 78 + Risks shift toward EoP, cloud, and AI.”
“By making Phi-4 available on Hugging Face with its full weights and an MIT License, Microsoft is opening it up for businesses to use in their commerci...”
“In January 2024, Microsoft disclosed that Russian state-backed hackers, known as Midnight Blizzard, compromised the company's corporate network b...”
“With US-based cloud providers legally bound by American law — including the US CLOUD Act, which allows US authorities to demand access to data held by...”
“The CLOUD Act allows U.S. authorities to access data stored in the EU, putting it in direct conflict with GDPR. ”
By making Phi-4 available on Hugging Face with its full weights and an MIT License, Microsoft is opening it up for businesses to use in their commerci...
In line with our goal of supporting future AI development in the community, Phi-4-reasoning-vision-15B is released under a permissive license with mod...
The CSRB concluded that "Microsoft’s security culture was inadequate and requires an overhaul," noting that Microsoft "failed to detect the compromise...
In January 2024, Microsoft disclosed that Russian state-backed hackers, known as Midnight Blizzard, compromised the company's corporate network b...
Microsoft disclosed a record 1,360 vulnerabilities in 2024 + Critical bugs dropped to 78 + Risks shift toward EoP, cloud, and AI.
Prior to release, phi-4 followed a multi-faceted evaluation approach. Quantitative evaluation was conducted with multiple open-source safety benchmark...
Currently, both Azure Public and Azure Germany are audited once a year for ISO/IEC 27001 compliance by a third-party accredited certification body, pr...
Building on this achievement, Microsoft Security Copilot has already secured several other critical data protection certifications, including ISO 2700...