Digital Emigration

When Microsoft pulled the plug

Published:

_ A warning cloud customers can’t ignore_

This was not a security failure.
It was a continuity failure caused by jurisdiction.

On 5 February 2025, something quietly unprecedented happened.

The email account of the Chief Prosecutor of the International Criminal Court (ICC) was disabled.
Not hacked or compromised.
Not suspended for misuse by his organisation.

Access was removed because the service provider, Microsoft, was legally required to comply with US sanctions.

The consequence was immediate and practical. Without access to official email, the Chief Prosecutor could not conduct routine correspondence, coordinate with staff and partner states, or carry out core day-to-day duties.

In effect, a senior official was temporarily prevented from performing a lawful function by an external infrastructure decision.

There was no court ruling against the ICC.
There was no finding of wrongdoing.
There was no technical failure.

The cause was jurisdiction.

Why this matters

The International Criminal Court is a globally recognised institution mandated to investigate genocide, war crimes, and crimes against humanity. It operates under international law, with the backing of dozens of democratic states, including long-standing allies of the United States.

Yet a lawful official, performing official duties, lost access to essential digital infrastructure overnight.

That is not a theoretical risk.
It is an operational reality.

What actually happened

Under US sanctions law, US-headquartered providers are legally required to enforce restrictions when applicable, regardless of where data is stored or which privacy frameworks apply.

Because the provider fell under US jurisdiction, sanctions policy could be applied directly to the digital services used by the ICC.

Server location did not matter.
GDPR compliance did not matter.
The legality of the ICC’s mandate under international law did not matter.

Control followed jurisdiction.

Why this changes the cloud debate

For years, cloud risk has been framed in familiar terms:

The ICC incident cut through all of that.

It demonstrated, in practice, that reliance on infrastructure subject to foreign jurisdiction exposes organisations to political enforcement mechanisms, even when they operate lawfully and transparently.

This was not an abuse of power.
It was not exceptional.

It was simply possible.

From compliance risk to coercive leverage

Seen in isolation, this looks like a niche case.
Seen in context, it is a warning.

International relations are increasingly transactional. Pressure, leverage, and strategic advantage play a growing role. Rules-based assumptions no longer hold by default, even between allies.

In that world, digital infrastructure becomes leverage.

None of these require misuse to be dangerous.
They only need to exist as pressure points.

The ICC incident showed that this capability is already real.

Why this should worry cloud customers

If this can happen to an international court, it can happen to:

The common factor is not politics or controversy.

It is dependency on infrastructure controlled under a foreign jurisdiction.

Scope of the argument

The argument here is often misunderstood.

This is not about avoiding the cloud or rejecting US technology. It is about recognising that jurisdiction creates control, and control creates risk when concentrated in a single political system.

Digital sovereignty, in this sense, means designing critical paths so continuity is resilient to geopolitical pressure.

The uncomfortable conclusion

The ICC email block was small in scope, but enormous in implication.

It marked the moment when cloud dependency stopped being an IT or compliance concern and became a foreign-policy risk.

Every organisation relying on external digital infrastructure should now ask:

If continuity can be affected without wrongdoing, what assumptions are we still making about control?

For the ICC, that question was answered for them.