Playbook
Our regulator wants to see customer-managed keys and EU data boundary
A European financial-services firm needs a defensible answer to "where does the data live, who can access it, and can you prove both?" Standard Azure is not enough — the audit requires customer-managed HSM keys, Confidential Computing for the most sensitive workloads, and a sovereign landing-zone pattern.
Trigger — DORA / NIS2 review; auditor flagged BYOK and operational sovereignty.
Good outcome — Sovereign landing zone, FIPS 140-3 Level 3 HSM keys, Confidential Computing for the regulated tier.