If you work in IT procurement, legal, or compliance for a European organisation, you’ve probably had this conversation more than once. Someone wants to roll out a unified communications platform like Teams, Webex, Zoom, take your pick and then someone else in the room asks the question that derails the whole timeline: where does the data actually live, and who can access it?
It’s a fair question. And the answer, depending on which vendor you’re looking at, ranges from “mostly fine” to “genuinely complicated.”
I’ve been looking at four major UC vendors through the lens of data sovereignty: Cisco Webex, Microsoft Teams, Mitel and Zoom. What follows isn’t meant to be a definitive legal assessment, I’m not a lawyer, and neither is this blog post but it does try to give you a realistic picture of where each platform stands, particularly if you’re operating in Germany or elsewhere in the EU under regulatory frameworks like C5, KRITIS, or the CLOUD Act.
The CLOUD Act problem nobody likes talking about
Let’s start with the uncomfortable one. Three of the four vendors here Cisco Webex, Microsoft Teams, and Zoom are US-headquartered companies. That means they’re all potentially subject to the CLOUD Act, which allows US law enforcement to compel American companies to hand over data stored overseas, including in Europe.
This isn’t a theoretical risk, and it doesn’t go away just because your data is hosted in a Frankfurt data centre. If the parent company is American, the exposure exists. Whether it’s ever acted upon is a separate question, but for organisations in regulated sectors, “probably won’t happen” isn’t always good enough.
Mitel is the outlier here. Because it offers genuine on-premises deployment options through partners like Delos and OVH it’s possible to keep infrastructure entirely within your own environment. That changes the CLOUD Act picture meaningfully. You’re not relying on a US company’s servers at all. For KRITIS operators or anyone dealing with particularly sensitive workloads, that’s worth taking seriously.
EU data residency: what “full” actually means
Webex and Mitel both claim full EU data residency, Webex across German and Netherlands infrastructure, Mitel hosted in Germany specifically. In principle, that’s reassuring.
Microsoft Teams offers partial EU data residency, but only for new tenants. If your organisation has been using Teams for a while, you may well be on older infrastructure with different data handling arrangements. It’s worth checking. The rollout of Microsoft’s EU Data Boundary has been gradual, and the specifics matter.
Zoom’s position is the most limited of the four. Metadata which can be more revealing than people realise is still processed in the US. That’s a meaningful gap, particularly for organisations where confidentiality of communications patterns matters, not just the content itself.
C5 and KRITIS: the German-specific layer
Germany’s C5 attestation scheme (Cloud Computing Compliance Criteria Catalogue, issued by the BSI) is one of the more demanding frameworks for cloud services operating in the German market. While it doesn’t function as a conventional certification, it acts as a form of verification backed by independent audits. This recognition is respected, especially in the public sector and areas involving critical infrastructure.
Webex is positioned strongly here, which perhaps makes sense given Cisco’s investment in German enterprise customers over the years. Microsoft achieves compliance with Azure’s C5 attestation, a certification that extends to Teams as well. However, this coverage is dependent on whether controls specific to Teams are relevant to your requirements. Mitel points to ISO 27001 as its primary compliance anchor, which is internationally recognised but not quite the same thing as C5. And Zoom’s compliance positioning is, charitably, limited in this space.
For KRITIS suitability that is, suitability for operators of critical national infrastructure Webex and Mitel both rate highly, with Mitel specifically strong for private deployments. Teams rates medium, and Zoom rates low, though there are indications Zoom is working to improve this.
Sovereign IaaS deployment: the question most RFPs don’t ask
This one doesn’t come up often enough. Can the vendor actually be deployed on sovereign cloud infrastructure, meaning EU-based, non-US-hyperscaler IaaS rather than just hosted on the vendor’s own cloud?
Mitel wins here clearly. Yes, it supports deployment on sovereign IaaS like Delos or OVH. That’s a significant differentiator for organisations that need to keep the full stack within EU-controlled infrastructure.
Webex is partial: dedicated infrastructure, yes; SaaS mode, no. So you get some flexibility, but not complete control over the hosting layer.
Teams and Zoom are both SaaS-only from a practical standpoint. There’s no meaningful path to running them on your own choice of EU sovereign cloud.
So who’s actually suited to what?
Honestly, it depends on what you’re trying to solve.
If you’re in the German public sector or healthcare, and sovereignty is a first-order requirement rather than a nice-to-have, Webex or Mitel are probably your serious options. Webex offers the more polished modern UC experience; Mitel offers deeper on-prem flexibility if that’s what your environment requires.
For large multinational enterprises that need UC at scale and aren’t subject to KRITIS or similar obligations, Teams remains a pragmatic choice. The C5 compliance via Azure is real, the data residency situation is improving, and for organisations already deep in the Microsoft ecosystem, the switching costs point elsewhere. You just need to go in clear-eyed about the CLOUD Act exposure and the metadata handling.
Zoom, I think, is best suited to commercial organisations where sovereignty requirements are lighter and the priority is ease of deployment and user experience. That’s a large part of the market. But for anyone with genuine regulatory obligations around data control, it’s hard to make Zoom work as the primary UC platform right now.
Conclusion: A few things worth keeping in mind
None of this is static. Microsoft has been actively investing in its EU data sovereignty story, and the situation in 2024 looks quite different from 2021. Zoom has been working to address some of its compliance gaps. Vendors update their infrastructure and attestations regularly, and what’s accurate today may shift.
It’s also worth remembering that C5, KRITIS suitability, and CLOUD Act exposure are different things that people sometimes conflate. A platform can have strong C5 positioning and still carry CLOUD Act risk. A platform can be ISO 27001 certified and not be appropriate for KRITIS environments. The frameworks are related but distinct, and procurement decisions benefit from treating them separately.
If you’re working through this for a specific organisation, the comparison above is a reasonable starting point, but I’d strongly suggest getting vendor-specific documentation on their current data processing agreements, sub-processor lists, and any relevant BSI attestation reports. The details, as usual, are where it gets interesting.
If you’re reviewing your UC landscape and trying to work out how sovereignty should shape your next steps, you’re not alone. Many organisations discover that the technical and legal layers don’t always align neatly, and it can be difficult to weigh the practical trade‑offs without seeing how each platform behaves in real environments. That’s usually the point where people reach out to us.
Damovo works with organisations across Europe on unified communications, contact centres, enterprise networking, and managed services. Much of our work sits in regulated sectors, so we spend a fair amount of time helping teams compare vendors not just on features, but on the implications for data handling, compliance, and operational control. Sometimes the outcome is a straightforward fit. Other times it takes a closer look at deployment models, hosting options, or the finer points of an attestation report.
If your organisation is reassessing its UC strategy or simply wants a clearer view of how these sovereignty questions affect your current setup, we’re available to support you whether that’s through a structured assessment, a technical workshop, or a discussion with your legal and compliance teams. The aim is to help you make choices that hold up under examination and offer lasting advantages.