In the spring of 2025 the chief prosecutor of the International Criminal Court tried to open his email and could not. Karim Khan, the man leading the Court's most politically dangerous investigations, found his Microsoft account dark. Within weeks the most revealing sentence in the whole affair was spoken, and it was not an accusation. It was a denial. Microsoft's president, Brad Smith, told reporters that the company's actions "did not in any way involve the cessation of services to the ICC," and a spokesman added that at no point did Microsoft cease or suspend its services to the Court.

Hold those two facts side by side, because the space between them is the subject of this essay. A prosecutor lost his email. The company that ran the email says it did not take it away. Both statements appear to be true. The prosecutor really was cut off, and Microsoft really may not have been the hand that did it, because once a person is placed under United States sanctions, an American company and the customer that depends on it are both swept into a legal machinery that neither of them fully steers. The interesting question is therefore not the one everyone asked, which was whether Microsoft switched off a court. The interesting question is how an institution can be silenced while the only company capable of silencing it can truthfully say it did nothing.

That is not a story about a bad company. It is a story about a kind of power that does not require anyone to decide to use it.

The outage everyone read wrong

Start by being precise about what happened, because the loose version of this story is the enemy of the real one.

The documented facts are narrow and solid. In February 2025 the United States, under an executive order, imposed sanctions on Khan personally over the Court's arrest warrants. His bank accounts in Britain were frozen. In May, reporting from inside the Court described his Microsoft email going dark, and the ICC moving him onto Proton Mail, a Swiss provider outside American reach. By the autumn the Court announced it was migrating off Microsoft's office software altogether, toward a European open-source suite. Those facts are not in dispute.

What is in dispute is the verb. Did Microsoft cut him off, or did the Court move him before Microsoft had to? Microsoft insists, and may well be right, that it never pulled the plug, that it kept serving the institution, that the migration was the customer's own decision. Critics inside the Court describe a company complying with sanctions by closing an account. The reporting does not cleanly resolve which it was, and that irresolution is not a gap in the story. It is the story.

Because notice what the dispute reveals. Both readings end in the same place: the prosecutor lost his email because of an American legal decision, transmitted through an American company, and there was nothing the Court could do about it except flee to a provider in a different jurisdiction. Whether Microsoft acted or the Court pre-empted, the determining force was identical. It was not a corporate choice. It was the reach of one government's law into the infrastructure another institution had come to depend on. The company's denial is credible precisely because the power in question never needed the company's intent. The sanctions did the work. Microsoft was the surface they traveled across.

This is the first and most important correction. The popular frame imagines a switch in Redmond and a finger on it. The accurate frame has no finger. It has a structure in which a sanction in Washington becomes an outage in The Hague by operation of law, and the most powerful software company on earth can stand in the middle of that and honestly say it was a bystander to its own platform.

The law that travels with the company

To see why the bystander's defense holds, look at the legal pipe the outage traveled through, because it was laid years before anyone needed it.

In 2018 the United States passed the Clarifying Lawful Overseas Use of Data Act, known as the CLOUD Act, attached without much debate to a spending bill. Its core provision is a single, far-reaching idea: an American provider must preserve and produce the data in its control when lawfully ordered, regardless of where in the world that data physically sits. A demand served on a company's American headquarters reaches its servers in Frankfurt, Amsterdam, and Dublin. The data can live on European soil, inside a European data center, under a contract written in European law, and still be reachable, because the thing the law acts on is not the soil. It is the company.

This is the quiet inversion that almost no one outside the field has absorbed. For all of history, jurisdiction followed territory. The state's writ ended at its border, and what sat on foreign ground answered to foreign law. The CLOUD Act detaches jurisdiction from the ground and attaches it to the corporate person. It is not that the data crossed the border. It is that the border crossed into the data. Wherever an American company holds your information, a piece of American legal territory has formed around it, invisible and load-bearing, and you are standing inside it without having traveled anywhere.

There are real limits worth stating, because overstating this is how the argument loses its credibility. The CLOUD Act is a compulsion mechanism, not an unconditional master key. A provider can, in narrow circumstances, move to quash a demand that targets a foreign person and conflicts with a qualifying foreign government's law. European law pushes back hard from the other side: the data-protection regime treats third-country demands as valid only through formal international agreements, and Europe's highest court has twice struck down the transfer frameworks that tried to paper over the conflict. So this is not a world where Washington reads every European file at will. It is a world where the legal possibility exists, the conflict is unresolved, and the European institution depending on the American provider cannot make the possibility go away. The exposure is structural. It does not require the power to be used. It only requires that it cannot be ruled out.

And here the sanctions case and the data case fuse into one mechanism. Whether the lever is a subpoena reaching data abroad or a sanctions order reaching an account, the principle is the same: the controlling variable is not where the service runs or who the customer is. It is which government holds legal authority over the company that runs it. The vendor's home state is a silent party to every contract the vendor signs. You think you have bought a service. You have also, without a line about it in the agreement, accepted a sovereign.

The exit that was never built

If the exposure is so plain, the obvious question is why the dependent institutions do not simply leave. The answer is the heart of the matter, and it is not inertia.

They do not leave because, for most of them, there is no longer anywhere to go without paying a price close to paralysis. Across two decades, the productivity tools of European government quietly consolidated onto a single vendor's stack. By the most cited estimates, which come from an industry coalition and should be read as advocacy rather than audit but which point in a direction no one seriously disputes, Microsoft software runs something like three-quarters of the European public sector's productivity work, and far more than that inside many national ministries, courts, and schools. The word processor, the email, the spreadsheet, the meeting, the identity login that ties them together, the cloud that stores all of it: one ecosystem, woven into the daily motion of the state until the state could no longer perform its ordinary functions without it.

What that weaving did was abolish the exit. The economist Albert Hirschman gave us the cleanest way to see this. When an organization declines or a relationship sours, those inside it have two broad responses available: exit, walking away, and voice, staying and complaining. Exit is what disciplines a provider; the credible threat to leave is what keeps the served party sovereign. Remove the possibility of exit and only voice remains, and voice without exit is petition, not power. A government that cannot leave its software vendor can object to that vendor, can regulate it, can hold hearings about it, but it can no longer discipline it, because the one sanction that matters, withdrawal, has been priced out of reach.

You can measure the height of that price by watching the few who have tried to pay it. A German state, Schleswig-Holstein, decided to move roughly thirty thousand public workstations off Microsoft Office onto open-source software, and the effort is a multi-year campaign with a dedicated support apparatus that, more than a year in, had converted most but not all of its office work and had barely begun the deeper migration off the operating system. Denmark's digital ministry began moving its staff to open-source office software, and two of its largest cities started shifting away from Microsoft products, citing the cost of dependence; the spending that alarmed them had risen by more than seventy percent in five years. But even Denmark, having announced the ambition, walked back the idea of abandoning Windows wholesale, because the full exit turned out to be harder than the headline. These are not failures. They are the most determined attempts on the continent, and their slowness is the evidence. When leaving a vendor takes a sovereign government several years, a special agency, and a partial retreat, the vendor is not really a supplier any longer. It has become infrastructure, and infrastructure is the thing you build a society on top of, not the thing you can put out to tender next quarter.

This is what the philosopher Ivan Illich called a radical monopoly: not one company beating its competitors on price, but a tool becoming so woven into how a function is performed that the function can no longer be imagined without it. The car does not merely outcompete walking; past a certain point it reshapes the city so that walking no longer reaches anything, and then the car is not a choice but a precondition. The cloud has done the same to administration. It did not win the argument about how a state should keep its records. It became the only remaining way to keep them, and a tool that has become the only way is no longer subject to the question of whether you want it.

So the determining variable comes into focus, and it was never Microsoft's intentions. It is the absence of an exit. A dependence you can leave is a contract. A dependence you cannot leave is a jurisdiction. The reason the prosecutor's outage matters is not that it was dramatic but that it was a demonstration, at the scale of a single account, of a condition that now holds at the scale of states: the party that cannot walk away does not control the thing it cannot walk away from, no matter whose soil it sits on or whose name is on the contract.

Who is actually exposed

The prosecutor makes the mechanism legible because his case is dramatic and his name is known. But he is the smallest part of what sits inside this exposure, and the rest of it has no name at all.

Behind the prosecutor's inbox stands everything else the same infrastructure carries. The hospital that keeps its patient records in the cloud. The tax authority that holds a nation's incomes. The benefits office that decides whether a family is paid this month. The court that stores the evidence in a criminal case, the school that keeps the file on a child, the police force that runs its case management on the same productivity stack as the ministry above it. None of these is a sanctioned individual, and none of them will ever be the subject of an executive order. They are exposed in a quieter way. Their most sensitive records sit, by default and without anyone choosing it, inside the legal reach of a government they did not elect, retrievable in principle through a process they will never see and could not contest.

For the ordinary person this stays invisible until the day it does not, and most days it does not, which is exactly why it accumulates. A citizen never signed a contract with an American provider. A patient never agreed that the scan of her body should fall under a foreign jurisdiction. A defendant never consented to having the evidence in his case held on infrastructure his own state cannot fully reach. These were decisions taken far above them, by procurement officers choosing the convenient option, and the consequence runs downhill in silence until some sanction or breach or order makes it briefly visible, at which point the person discovers, as the prosecutor did, that the thing they assumed answered to their own institution had been answering, all along, to someone else. The prosecutor is the legible version. Everyone whose life is recorded on the same machinery is the illegible one, and there are far more of them, and no one ever told them.

One key, twenty-five governments

There is a second face to this dependence, and it showed itself a year before the prosecutor lost his email, in a way that had nothing to do with politics and everything to do with concentration.

In the middle of 2023 a group of hackers based in China, which Microsoft tracks as Storm-0558, obtained one of the company's cryptographic signing keys, a key from 2016 that should have been retired and had never been rotated, and used it, together with a flaw that let a consumer key sign business credentials, to forge their way into email accounts across roughly two dozen organizations. The victims were not trivial. They included the United States State Department and the Commerce Secretary. One stolen key, years out of date, opened the official correspondence of part of the American government.

What followed is the part that matters for this argument. The United States convened its Cyber Safety Review Board to examine the breach, and the board's report was unusually blunt for an official document. It found that the intrusion was preventable and should never have happened, that it resulted from a cascade of avoidable errors, and that Microsoft's security culture was inadequate and required an overhaul, a remarkable thing to say about the company on which so much of the government's own work depends. The board also found Microsoft's public account of how the key was stolen to be substantially incomplete.

Sit with the structure that reveals. The same concentration that makes the dependence convenient makes the failure total. When one company's single key can be the master key to two dozen institutions, the breach of that key is not an incident at one vendor. It is a simultaneous breach everywhere the vendor reaches. The economist's term for this is a single point of failure, the one component whose collapse brings down everything resting on it, and the warning that the most efficient systems are the ones most likely to have built one without noticing. Europe's governments did not consolidate onto one provider in order to create a single point of failure. They did it because consolidation was cheaper, smoother, easier to manage, better integrated. The single point of failure was the by-product, the thing efficiency leaves behind, and you discover you have built one only when the key is stolen or the sanction is signed.

Why no one had to decide

Now return to the denial that opened this essay, because it can finally be read correctly.

Brad Smith's statement that Microsoft did not cut off the Court was not a dodge. It was a description of how this kind of power actually operates. The architecture of the digital veto does not run on a decision. It runs on a structure in which many parties, each acting reasonably within its own role, produce together an outcome none of them quite chose. The American government issues a lawful sanction. The American company, bound by law to comply, adjusts what it can provide. The dependent institution, seeing the exposure, moves itself before it can be moved. Each actor behaves rationally and within the rules, and the sum of all that rational, rule-bound behavior is a court silenced, with no one in the chain having to will the silencing and everyone able to say, accurately, that they only did their part.

The economist Friedrich Hayek spent his life on the difference between an order someone designs and an order that emerges from many people pursuing their own ends, and on the human tendency to insist on an architect where there is none. The digital veto is an emergent order of exactly that kind. No one in Redmond drew up a plan to make the world's institutions dependent on a permission they could not withdraw. The dependence assembled itself out of a billion separate, sensible decisions, each procurement officer choosing the cheaper and more capable option, each ministry following the last, each migration deepening the lock until the structure was complete and no longer needed anyone to operate it. This is the part the conspiratorial version of the story gets backward. The danger is not that a tech executive can decide to switch off a government. The danger is that the switching can happen with no executive deciding anything, because the power has been built into the arrangement itself and has passed beyond the reach of intention.

That is why the most honest sentence in the affair was the denial. Microsoft did not cut off the Court, and the Court was cut off anyway, and both of those things being true at once is not a paradox to be resolved. It is the finished form of the mechanism. The veto is most complete precisely when no one is holding it.

The company is interchangeable

One test of whether you have found a structure rather than a culprit is whether swapping the names changes anything, and here they do not.

Replace Microsoft with Amazon Web Services or Google Cloud and every load-bearing fact survives. Each is an American company. Each falls under the same CLOUD Act and the same sanctions law. Each has woven itself into governments, hospitals, and ministries until leaving means rebuilding. Each concentrates so much function that the failure of one key or one account ripples across everyone downstream. The choice of vendor is a choice of which American company, not of whether the exposure exists. That is the signature of a structural condition rather than a corporate one: the variable does not live in the firm, it lives in the firm's nationality and the depth of the dependence, and those two things hold no matter which logo is on the contract.

This is why the cleanest statement of the whole matter names no company at all. The decisive question about any infrastructure a society cannot perform its functions without is not who owns the data, which can be argued endlessly, but whose law owns the company that holds it, which usually cannot be argued at all because it was settled the day that company was incorporated. Sovereignty in the cloud age is not measured by where your data lives. It is measured by whether you can leave, and by whose courts can reach the company you cannot leave. By that measure a great deal of what Europe still calls sovereign is rented, and the lease is written in a language the tenants do not control.

What Europe is doing, and why it is so hard

None of this is secret, and Europe has begun, slowly and unevenly, to respond, which is the surest proof of how deep the dependence runs.

The responses come in two shapes, and the gap between them is instructive. The first is to try to build a real exit: the open-source migrations in Schleswig-Holstein and Denmark, the slow reconstruction of a software stack a government can actually own. These are the genuine article, and they are rare and painful, because they mean rebuilding from the foundation the very thing that was outsourced precisely to avoid building it. The second shape is more telling: the so-called sovereign cloud, in which the American technology is kept but wrapped in a layer of local ownership and operation. France's "trusted cloud" effort, Bleu, is owned by two French firms, the consultancy Capgemini and the telecom Orange, with Microsoft present only as a technology supplier distributing its cloud inside a French wrapper; a parallel venture, S3NS, pairs the French defense group Thales with Google. Both are chasing the French state's strict sovereignty qualification; the Thales and Google venture reached it at the end of 2025, while Bleu's full certification remains a target rather than a fact. The design goal is openly stated: satisfy the demand for sovereignty without paying the price of leaving, by putting a national shell around the foreign engine.

But a shell around an engine does not change what the engine is, and that is the unresolved heart of the sovereign-cloud idea. If the underlying technology remains an American company's, the jurisdictional question does not vanish; it is merely dressed in local colors, and whether the dressing is legally sufficient is exactly what no one has yet proven. Europe's own regulators have started to answer skeptically. The European Data Protection Supervisor, examining how the European Commission itself used Microsoft's software, found in 2024 that the Commission had breached the data-protection law governing the Union's own institutions, on international data transfers and on a failure to specify what was being collected and why, and ordered it to suspend the offending data flows. Read that again. The executive arm of the European Union was found in breach of European data rules through its own dependence on an American provider, and the body that found it was another European institution. The continent is, in the most literal way, regulating against a dependence it cannot itself escape, drafting the rules on the very software those rules indict. And the institution that started this story drew the bluntest conclusion of all: by late 2025 the International Criminal Court announced it was abandoning Microsoft's office software for a European open-source suite, the German-built openDesk, choosing the slow, expensive exit over the comfortable exposure, because for a court that prosecutes the powerful, a tool that can go dark by another power's order is not a tool it can afford.

The point of cataloguing this is not to mock the effort. It is to show the size of the thing being pushed against. When the strongest responses available are a multi-year migration that governments only half complete, and a sovereign wrapper that keeps the foreign engine running underneath, you are not looking at a problem that better procurement could have avoided. You are looking at a structure that has already set, and the question has shifted from how to prevent the dependence to how to live with a sovereignty that now runs, in part, on someone else's law.

Where the defense is right

A piece like this owes its opponent the strongest version of the other case, not least because the other case is largely correct on its own terms, and pretending otherwise would be the exact intellectual dishonesty the argument is meant to resist.

The defense runs like this, and every clause of it is true. No European provider today matches the scale, the security investment, the feature depth, or the integration of the American hyperscalers, and European governments did not stumble into dependence; they chose these providers, repeatedly, in open competition, because they were the best option on offer. The concentration is a revealed preference at least as much as a trap. The security argument cuts both ways: the same scale that made Storm-0558 so damaging also funds defenses no individual government could afford, and produced, after the breach, a level of public accountability that smaller or purely national providers rarely face. Migration really is hard for sound operational reasons, not merely inertia, which is why even committed governments move slowly. And the ICC episode, properly understood, was sanctions compliance, not corporate caprice: any American company, and most large European ones with American operations, must obey American sanctions law, and Microsoft's insistence that it follows the law and provides a neutral platform is legally coherent. The trigger was a government's decision, not a company's whim. The market, moreover, is responding, with sovereign-cloud offerings and data-boundary commitments built precisely to address these fears.

All of that deserves to stand at full height, and the strongest form of this essay's claim is the one that grants every word of it. Because the case against single-vendor dependence was never that Microsoft is malicious or incompetent. It is that competence and good faith are not the variable. A benign provider and a hostile one expose you to exactly the same jurisdictional reach, because the reach belongs to the provider's government, not the provider. The question the defense never quite answers is the only one that matters: not whether the dependence is efficient, which it is, and not whether the provider behaves well, which it largely does, but whether a sovereign function should rest on a variable, another state's law over the company, that the sovereign cannot control, cannot inspect, and as the prosecutor learned, cannot opt out of once the sanction is signed. You can concede that the cloud is cheaper, safer, and better run than anything Europe could build alone, and still notice that none of those virtues touches the one thing sovereignty is supposed to mean, which is that the decisive power over your own functions is held by you.

What was always underneath

So go back, one last time, to the prosecutor staring at a dark screen in The Hague, and ask what he had actually lost.

Not his data, which still existed. Not his service, which Microsoft says it never withdrew. What he had lost was the thing he never knew he had handed over: the assumption that the tools of his office answered to his office. For years that assumption had cost nothing and so was never examined, the way the foundations of a building are never examined until the ground shifts. He had typed his cases, sent his mail, stored his evidence, and the convenience of it had been total and the price invisible, and the price was this, payable in full on a single morning: that the most important correspondence in international justice ran on an infrastructure whose ultimate loyalty lay in another country's law, and that when that law turned against him, the infrastructure turned with it, and no one had to decide for it to happen.

That is what the whole arrangement was, underneath the language of cloud and service and platform. It was never only software. The contract that looked administrative was, all along, a quiet transfer of a piece of sovereignty, accepted one update at a time, by institutions that thought they were buying convenience and were also, without a clause naming it, acquiring a foreign sovereign as a silent partner in their most sensitive work. The prosecutor's outage did not create that condition. It revealed it, briefly, at the scale of one account, the way a single tripped breaker reveals that the whole house was wired through one box in a room you never enter and do not own.

The question this leaves is not whether to trust Microsoft, which is the wrong question and always was. It is whether a society can call itself sovereign over the functions it can no longer perform without permission it cannot withdraw, granted by a company it cannot leave, under a law it did not write. The prosecutor found his answer the morning the screen stayed dark. The rest of us are still pretending we have not seen ours.

Evidence Map

Facts, interpretations, forecasts, and disconfirming signals.

Core claim. The "digital veto" is real but misnamed. The determining variable is not Microsoft's will but JURISDICTION OVER THE VENDOR (the vendor's home-state law reaches the service regardless of where data sits or who the customer is) combined with the ABSENCE OF AN EXIT (switching costs make the dependence effectively irreversible). The power is emergent and self-operating: a sanction in Washington can become an outage in The Hague with no one in the chain choosing the outcome, which is why Microsoft can truthfully deny acting while the Court was cut off anyway.

Evidence level. Facts (high, documented): the 2025 US executive-order sanctions on ICC prosecutor Karim Khan and the freezing of his accounts; Khan losing access to his Microsoft email and the ICC moving to Proton Mail and later to open-source software; Brad Smith's denial that Microsoft ceased services; the CLOUD Act (2018) compelling US providers to produce data regardless of storage location; the Storm-0558 breach (2023) via a stolen 2016 signing key reaching the State Department and Commerce Secretary, and the US Cyber Safety Review Board (2024) finding it "preventable," a "cascade of avoidable errors," with a security culture "inadequate and requires an overhaul"; the Schleswig-Holstein (~30,000 workstations) and Danish open-source migrations; the EDPS 2024 finding that the European Commission's use of Microsoft 365 breached EU-institution data law. Contested (marked): WHETHER Microsoft or the ICC was the actor in the email cutoff (Microsoft denies acting; the outcome was identical either way, which is the point). Interpretation (medium, marked): the reading that jurisdiction-over-the-vendor plus foreclosed exit is the determining variable, and that the veto is Hayekian-emergent. Advocacy-sourced (attributed): the ~77-90% Microsoft public-sector dependence figures come from an industry coalition, not a neutral audit.

What would confirm this. Further cases where a sanctions or legal action against a person or body produces loss of access to cloud services regardless of provider intent; continued evidence that exit (migration) remains multi-year and partial even for determined governments; sovereign-cloud "wrappers" that keep the foreign engine and therefore the jurisdictional exposure.

What would disprove this. Evidence that European institutions can in practice exit a hyperscaler quickly and cheaply (a real, low-cost exit would make the dependence a contract, not a jurisdiction); a binding legal settlement that durably severs US jurisdiction from data and services held in Europe; or evidence that the ICC cutoff was a discretionary Microsoft choice rather than a structural sanctions effect, which would relocate the power to corporate will rather than structure.

Watchlist. The completion rate of the Schleswig-Holstein and Danish migrations; SecNumCloud and EU-data-boundary qualifications for "sovereign" clouds; any litigation resolving the CLOUD Act versus EU data-law conflict; whether any government-scale (not account-scale) access disruption ever occurs.

Jerry van der Laan writes The Manifest Archive, daily forensic essays on power, language, and the systems that shape what we are allowed to see as reality. He traces the structures beneath them.