CapaOne
The sovereignty gap starts at your endpoints — and most IT teams haven’t looked there yet.
On 14 April 2026, the Free ICT Europe Foundation published a policy paper with a pointed argument: European organizations technically own their digital infrastructure — but many lack real control over it. The foundation called this the “sovereignty gap” — and called on the EU to formally recognize the risk embedded in European IT dependencies.
The timing is not a coincidence. All 27 EU member states signed a declaration on digital sovereignty in November 2025. The European Commission proposed targeted amendments to NIS2 in January 2026. And speaking at Denmark’s OffDig conference in March, former Microsoft executive Casper Klynge said plainly what many IT leaders have been thinking privately: the Cloud Act and FISA are now more pressing concerns than GDPR — and European organizations can only trust their American technology vendors to some extent. Not all of the way.
For most organizations, the sovereignty conversation starts with cloud infrastructure and productivity platforms. That is understandable. But there is a blind spot in most sovereignty strategies: endpoint management.
Endpoints are where the data is
Every managed device in your organization generates operational telemetry. Patch status. Application inventory. Driver versions. Vulnerability exposure. Privilege elevation events. Configuration drift. That data is processed through your endpoint management platform — and it flows under the jurisdiction of whoever owns and operates that platform.
Amazon, Microsoft, and Google control more than 70% of the European cloud market, while European providers hold under 15% — down from 29% in 2017, according to Synergy Research Group. Endpoint management platforms sit inside that same dependency structure.
Source: Synergy Research Group, reported by CNBC, 13 February 2026 — cnbc.com/2026/02/13/four-charts-europes-reliance-us-digital-infrastructure.html
The Cloud Act gives US authorities access to data held by US companies, regardless of where it is physically stored. Microsoft admitted in a French court that it could not guarantee data sovereignty for European customers in the event of a US legal injunction. That is not a future risk. It is a present one.
What European endpoint management actually means
Shifting to a European endpoint management platform is not about removing American technology from the stack. Most organizations will continue to rely on Microsoft 365, Entra ID, and Intune as core infrastructure — and they should. These are mature, capable platforms.
The question is what sits alongside them.
A European-built, EU-hosted endpoint management platform provides IT teams with three things that US-based alternatives cannot reliably deliver. Clear data residency: operational telemetry remains within the EU, processed under European law. Predictable regulatory alignment: GDPR compliance is architectural, not a configuration option, and NIS2-aligned operations are built into the platform. Documented governance: sub-processor registers, data processing agreements, and audit-ready evidence are available without chasing a vendor headquartered four time zones away.
For IT managers preparing for compliance audits, cybersecurity assessments, or internal board reviews, this level of clarity has real operational value.
The Microsoft question
A common concern is whether a shift toward European endpoint management requires dismantling an existing Microsoft investment. It does not.
The most effective approach for most organizations is additive. CapaOne is designed to strengthen Microsoft Intune — not replace it. Intune handles policy management, enrollment, and identity. CapaOne extends that foundation with capabilities that Intune does not natively cover: automated third-party application updates, vendor-certified driver management, just-in-time privilege elevation, vulnerability visibility, and exportable compliance evidence. Organizations that do not run Intune can adopt CapaOne as a complete, standalone endpoint management platform.
Where to start
The sovereignty gap identified in this week’s policy paper is not abstract. It is a set of concrete decisions about procurement, architecture, and long-term risk. For IT teams, the most immediate and actionable step is to evaluate where endpoint management sits in the current stack. Who builds it? Where it is hosted. Whose legal framework governs the data it processes.
These are questions with answers. And the answers have consequences.
CapaOne Endpoint Management Platform is built in Denmark, hosted in the EU, and designed for organizations that require modern endpoint operations without US jurisdictional exposure. It is GDPR-first by architecture, NIS2-aligned in operation, and built to support European data sovereignty — while working alongside Microsoft Intune or standing alone as a complete endpoint management platform.
Have More Questions?
The sovereignty gap refers to the difference between technically owning your IT infrastructure and controlling it. In endpoint management, this gap emerges when the platform processing your device telemetry — patch status, application inventory, privilege events — is owned and operated by a company subject to US law. The Cloud Act and FISA can compel US-based vendors to provide data to US authorities regardless of where that data is physically stored. Most organizations focus their sovereignty strategy on cloud infrastructure and productivity tools, leaving endpoint management as an unexamined dependency.
Microsoft Intune is hosted and operated by a US company, which means it is subject to the US Cloud Act and FISA regardless of data residency choices. Microsoft has acknowledged in a French court proceeding that it cannot guarantee European customers’ data would never be accessible to US authorities under a legally valid injunction. For organizations in regulated sectors or those subject to NIS2, this creates a compliance risk that data residency alone does not resolve. Many European organizations address this by complementing Intune with a European-built endpoint management platform that processes operational telemetry under EU jurisdiction.
CapaOne is developed in Denmark and hosted in the EU, with all endpoint telemetry processed under European law. It operates under a documented Data Processing Agreement, maintains full sub-processor transparency, and is designed to be GDPR-first by architecture — not by configuration. CapaOne is NIS2-aligned in operation, providing vulnerability visibility, audit-ready evidence, and least-privilege enforcement through just-in-time privilege elevation. It works alongside Microsoft Intune or as a standalone platform, giving European IT teams endpoint control without US jurisdictional exposure. Learn more about CapaOne’s European sovereignty posture →
The US Cloud Act (2018) empowers US law enforcement to compel any US-based company to produce data stored anywhere globally — regardless of the data’s physical location or the customer’s nationality. For European IT teams, this means that an endpoint management platform operated by a US company can be compelled to share your device telemetry with US authorities, even if that data is stored in an EU data center. This risk is structural and cannot be resolved through data residency alone. It requires choosing a vendor that is not subject to US extraterritorial law.
