Under Oath, They Said They Could Not Say No. That Sentence Is the Whole Market
Microsoft France told the French Senate under oath it cannot guarantee EU data will never reach US authorities. A sovereign region improves the engineering. It does not close the legal gap. Ownership does.
By Micky Irons
On 10 June 2025, a Microsoft France executive sat before a French Senate committee, under oath, and was asked a plain question. Could the company guarantee that data belonging to French citizens, held in a French sovereign region, would never be handed to United States authorities? The honest answer, repeated and reaffirmed through 2026, was no. They could not guarantee it.
I want to sit with that for a moment, because I think most of the coverage skimmed past the important part. This was not a leak. It was not a hostile analyst report. It was the provider itself, on the record, declining to promise something buyers had assumed they were already paying for. When the person selling you sovereignty tells a parliament under oath that they cannot promise sovereignty, the marketing and the reality have visibly parted ways.
That sentence, we could not say no, is the whole market. Everything else is detail.
Why they could not say no
The reason is structural, not technical. The US CLOUD Act lets American authorities compel a US-domiciled company to produce data in its possession, custody, or control, regardless of where in the world that data physically sits. Encryption at rest, a datacentre in Paris, a French-badged subsidiary, a local operating partner: none of these change the ownership chain. If the ultimate parent is subject to US jurisdiction, the parent can be ordered to reach into the subsidiary and produce.
So when Microsoft France answered honestly, they were not being evasive. They were describing the law they operate under. A French sovereign region genuinely improves a lot of things. It improves data residency, latency, local operational staffing, and resistance to casual access. Those are real engineering gains and I will not pretend they are nothing. But an engineering improvement to a datacentre does not rewrite the jurisdiction its owner answers to. The gap that stays open is legal, and you cannot close a legal gap with a better rack layout.
This is the honest version of the argument, and I insist on the honest version. I am not going to tell you that European institutions are legally barred from using US cloud. They are not. Almost every regime that governs regulated data, including GDPR, DORA, the FCA and PRA rulebooks, the EBA guidelines, and the NHS Data Security and Protection Toolkit, permits cloud with the right controls. The genuine no-cloud bar exists only at the workload level: classified material at SECRET and above, ITAR-controlled defence data, isolated OT and SCADA environments, and cases where a data protection impact assessment comes back negative. Most workloads are not those workloads.
So the market does not rest on prohibition. It rests on preference. And the preference is about control.
Control is the thing you are actually buying
Strip away the acronyms and a sovereignty decision comes down to one question. When a foreign authority issues a compelled-production order for data you are responsible for, who gets to answer, and what can they say?
In the US sovereign cloud model, the honest answer, given under oath, is that the provider cannot guarantee a no. The decision is not yours. It sits several corporate layers above you, inside a legal system you do not vote in and cannot appeal to.
There is exactly one structure where the answer is genuinely no, and it is not a contract clause. It is ownership. If the system runs inside your own walls, on hardware you control, with no foreign parent holding the keys, then there is no third party who can be compelled, because there is no third party in the possession chain at all. A subpoena served on Microsoft cannot reach a system Microsoft does not operate. That is not a stronger promise. It is the removal of the party who would otherwise have to make the promise.
This is why I built Mickai the way I did.
What we built, and why the shape matters
Mickai is a Sovereign Intelligence Operating System. A SIOS is not an app you rent and it is not a region you are assigned. Regulated organisations own it and run it inside their own walls, air-gapped where they need to be, with a cryptographically-signed audit record generated on every action the system takes. When your legal team is asked who can be compelled to hand over the data, the answer is nobody outside this building, because nobody outside this building has it.
That single design choice changes the answer to the Senate question. If a French ministry or a UK trust runs Mickai on its own infrastructure, there is no US parent, no operating-under-licence arrangement, and no offshore possession to compel. The subpoena has nowhere to land. The audit trail, signed at the point of action, means the organisation can also prove exactly what the system did and did not do, which is the other half of sovereignty that people forget: not just keeping data in, but being able to demonstrate control to a regulator afterwards.
The intellectual property under this is real and it is documented. We have 104 UK patent applications on file, roughly 2,340 claims across 13 families, with the named inventor Mickarle Wagstaff-Irons, and they are moving through toward examination and grant. Those filings describe the sovereign runtime, the signed audit substrate, and the isolation model. I frame the moat by what the filings contain, because that is the honest frame.
The size of the preference
If the market were only the workloads with a genuine workload-level no-cloud bar, it would be a niche. It is not. The register-backed sovereign market we model is around 16,092 institutions across the UK and EU: 7,933 regulated core organisations plus an 8,159 large-private adjacency that wants the same control for commercial reasons. The broader enterprise-AI-platform software category that this sits inside runs, on Verdantix numbers, from about USD 13 billion in 2024 to USD 50.3 billion by 2030, which is roughly £11.7 billion to £39.7 billion. That is not a prohibition market. It is a preference market, and preference markets at that scale are where the durable businesses get built.
The Senate testimony did not create this demand. It just made it impossible to ignore. Every procurement officer who read that transcript now has to explain, in writing, why they accepted a provider who told a parliament under oath that they could not say no.
The takeaway
Sovereign cloud is a genuine improvement and I will not dismiss it. But an improvement is not a closure. As long as the parent is US-domiciled, the CLOUD Act gap stays open, and the provider's own sworn answer to whether they can guarantee otherwise is no. If your requirement is control, if you need to be the one who answers a foreign subpoena and can say no and mean it, then the only structure that delivers that is ownership inside your own walls. That is not a slogan. It is the one place the law leaves you standing on your own ground.
Frequently asked questions
Does the CLOUD Act mean European institutions cannot legally use US cloud?
No, and I want to be precise about this. Almost every regime, including GDPR, DORA, the FCA and PRA rules, the EBA guidelines, and the NHS DSP Toolkit, permits cloud with the right controls. The genuine no-cloud bar applies only to specific workloads such as classified material, ITAR-controlled data, and isolated OT systems. The wider market is driven by preference for control, not by prohibition.
Does a French or European sovereign region fix the problem?
It fixes a lot of engineering problems: residency, latency, local staffing, resistance to casual access. It does not fix the legal one. If the parent company is subject to US jurisdiction, the parent can be compelled regardless of where the datacentre sits, which is exactly what Microsoft France told the Senate under oath.
How is Mickai different from a sovereign cloud region?
Mickai is a Sovereign Intelligence Operating System that you own and run inside your own walls, air-gapped where needed, with a cryptographically-signed audit record on every action. There is no foreign parent in the possession chain, so there is no third party to compel. The answer to a foreign subpoena becomes genuinely no because the data never left your control.
Is this just marketing, or is the technology real?
It is built and it runs. The design is backed by 104 UK patent applications, around 2,340 claims across 13 families, named inventor Mickarle Wagstaff-Irons, now moving toward examination. The filings describe the sovereign runtime, the isolation model, and the signed audit substrate.
If you want to go deeper, we have written more on the sovereignty preference market and why owning your intelligence layer beats renting it, on how the signed audit record satisfies a regulator after the fact, and on where the genuine workload-level no-cloud bar actually applies. Those three together explain the whole shape of what we are building.
Micky Irons, founder and CEO, Mickai LTD


