Our regulator wants to see customer-controlled keys and a guaranteed European data boundary
A European bank needs a defensible answer to: where does the data sit, who can reach it, and can you prove both? Standard Azure is not enough. The auditor requires encryption keys the customer holds themselves, an extra-secure setting for the most sensitive workloads, and an Azure environment locked into European borders.
Trigger — EU financial-services regulation (DORA / NIS2) review; auditor has called out key control and operational sovereignty.
Good outcome — The bank can show the regulator that customer data stays in Europe, that only authorised people can reach it, and that the most sensitive workloads run with keys the bank itself holds and never shares with Microsoft.