When Governments Pull the Plug

Since spring, Brussels has been buzzing with the worry that, if geopolitical winds shift, Washington might order U.S. hyperscalers to yank the plug on cloud and productivity suites running Europe’s daily business. Although orders of suspensions of core digital services are rare and have always been very narrow and targeted, Politico summed up the anxiety crisply in late June: “Trump can pull the plug on the internet, and Europe can’t do anything about it.”

But as European firms and governments fret about the United States, a recent episode involving a U.S. tech giant and an Indian oil company set an awkward precedent. In response to a new wave of EU sanctions against Russia, Microsoft temporarily suspended its services to Nayara Energy, an Indian company with Russian ties, and then restored them days later, telling Reuters it was “in ongoing discussions with the European Union towards service continuity.”

In doing so, the EU found itself on the other side of the “kill switch” equation. It has been a vocal opponent of the very power it has just wielded, demonstrating that the ability to cut off digital services is not a unilateral power held by only one nation.

This is a complex and ironic turn of events with implications for how many countries or international organizations might pull the plug on internet services. European policymakers have been increasingly concerned about a U.S. “kill switch,” despite reassurances from hyperscalers that digital services will be protected. An analysis of the Microsoft-Nayara incident shows just how complicated the situation is, and how kill-switch risks are more widespread than EU policymakers appreciate. Instead of a simple U.S. versus EU narrative, regulating potential kill-switch policies lies at the messy intersection of sanctions law, platform usage, and cross-border dependencies. To prevent future issues and conflicts of laws, democratic countries should create a new international framework for cooperation.

Europe’s “Kill Switch” Anxiety

The European Union’s push for digital sovereignty is a central pillar of its broader quest for “strategic autonomy,” a policy objective that extends from defense to technology and economics. European leaders and policymakers are increasingly vocal about the continent’s reliance on foreign powers, particularly the United States and China, and the risk of losing economic and geopolitical ground to them. As the Draghi Report, the EU’s 2024 analysis of its long-term economic competitiveness, put it in the very first page of its foreword, Europe’s “dependencies have turned out to be vulnerabilities.” Critics of these asymmetric relationships see the digital realm as a particularly acute area of this dependence, with a palpable sense that the EU is one executive order away from having its critical digital infrastructure compromised. The EU’s own 2025 State of the Digital Decade report highlighted “strategic dependence” on non-EU service providers as a major challenge.

The foundation of this dependence lies in the overwhelming market dominance of U.S. cloud providers. Just three U.S. giants—Amazon, Microsoft, and Google—control more than 72 percent of Europe’s cloud market. This concentration of power is increasingly perceived in Europe as a matter of national security. Because cloud computing is the “lifeblood of the internet,” powering everything from government communications and industrial data processing to public-facing digital services, the perception in Europe (and elsewhere) is that reliance on foreign providers poses a severe risk. A deliberate service failure, whether by accident or design, could simultaneously affect critical services across the continent. Policymakers are concerned that a foreign government could leverage this dependency to achieve political or economic objectives.

The EU’s old concerns that U.S. government authorities could potentially access Europeans’ personal data, exemplified by the debates about the extraterritorial reach of the CLOUD Act and potential conflicts between U.S. laws and the EU’s General Data Protection Regulation (GDPR), have thus recently been complemented by a deeper, more systemic fear of strategic and technological dependence. 

An Ambiguous Precedent

In May and June 2025, reports that International Criminal Court (ICC) Chief Prosecutor Karim Khan lost access to his Microsoft-hosted email—after a U.S. executive order sanctioned him—set Brussels on edge about a potential U.S. kill switch that could turn off the digital infrastructure on which Europeans rely. Associated Press accounts said Microsoft had blocked Khan’s email and that sanctions were hampering ICC operations; in response, Microsoft’s Brad Smith insisted that the company did not cease or suspend ICC services, acknowledging the issue while disputing the “shutdown” characterization. Regardless, the episode further fueled concern in Europe. If U.S. policy can ripple into essential cloud services used by European institutions (or international bodies on European soil), how resilient is Europe’s digital core? 

An article in Politico in June captured this tension. The ICC email flap became Exhibit A in a broader narrative that Washington could weaponize platform control, even as Microsoft publicly said that “at no point did [it] cease or suspend services to the ICC.” In other words: facts contested, risk perceived. That ambiguity—plus the timing—fanned Europe’s kill-switch debate.

Even before the Khan incident, members of the European Parliament (MEPs) had increasingly begun stating their concerns outright. In Science|Business, German Green MEP Alexandra Geese argued that U.S. tech could be an instrument for “regime change,” urging tougher EU action; MEPs Brando Benifei and Matthias Ecke, Italian and German members of the Progressive Alliance of Socialists and Democrats, pressed for concrete digital sovereignty measures. Politico likewise quoted Ecke’s warning that Europe faces a “serious risk” that its data could be used by the U.S. administration—or that infrastructure could be made inaccessible—if geopolitics sour. Formerly skeptical MEPs now back a European cloud, calling their shift a “huge flip-flop” because “the world has changed.” These politicians, building on the Draghi Report, are acknowledging that dependency breeds vulnerability.

European providers have capitalized on this opportunity and leaned into the concern to offer a homegrown alternative. At a Brussels event cited by Politico, OVHcloud CEO Benjamin Revcolevschi put it directly: “The risk of a shutdown is the new paradigm …. Cloud is like a tap of water. What if at some moment the tap is closed?” Euractiv, around the same time, ran a parallel interview of Revcolevschi in which he urged firms to anticipate discontinuity risk and consider European sovereign options. 

U.S. Hyperscalers Try to Calm the Storm

The U.S. cloud service giants have been responding to these escalating concerns with efforts to settle European policymakers’ nerves. On April 30, Microsoft tried to defuse the anxiety with five “European digital commitments,” including an explicit promise to “uphold Europe’s digital resilience regardless of geopolitical and trade volatility,” and a 40 percent capacity expansion across Europe. In June, Microsoft followed up on these commitments with “Sovereign Cloud” offerings (public, private, and, national-partner clouds) and new controls, including Data Guardian (EU-resident oversight of support access), External Key Management, and Microsoft 365 Local that would have service continuity for on-premises, air-gapped networks. The messaging was unmistakable: Even in a geopolitical storm, European services should keep running. The Financial Times made the politics explicit, reporting on the moves under the headline, “Microsoft vows to protect European operations from Donald Trump.”

On May 21, Google also rolled out a refreshed sovereignty portfolio—Data Boundary (EU/U.S. processing boundaries with client-side encryption and key access justifications), Google Cloud Dedicated via EU partners (e.g., Thales/S3NS in France, SecNumCloud-aligned), and even air-gapped cloud options. The common theme among the Google options is an emphasis on continuity under local legal control and operational autonomy.

AWS, meanwhile, doubled down on June 3, and updated on August 4, its European Sovereign Cloud: EU-only operations, EU-resident staff, EU governance and security operations centers, separate infrastructure and a trusted third party (known as a certificate authority, or CA), and a design explicitly organized to ensure independent and continuous operations “even in the event of a connectivity interruption between [the EU sovereign cloud] and the rest of the world.”

Oracle has also been pushing an EU Sovereign Cloud since 2023; on May 20, 2025, it added EU-sovereign operations for Compute Cloud@Customer and even an air-gapped offering, pointing to the same continuity-and-control story for regulated workloads.

By late spring 2025, every major hyperscaler had published fresh, Europe-specific sovereignty and continuity commitments—essentially promising that, if someone somewhere tries to pull a plug, your lights stay on here.

The Nayara Energy Episode

The theoretical debate over the kill switch abruptly collided with reality in late July 2025. The Nayara Energy incident demonstrates the complexities of modern geopolitical and legal conflicts, in which a regulatory decision in one part of the world can have an instantaneous and dramatic effect on a company thousands of miles away.

For Nayara, that regulatory decision was made on July 18-19, when the EU adopted and published its 18th sanctions package against Russia. Alongside sectoral measures, the council listed Nayara Energy Limited (India) as entry 639 in the Annex to Council Implementing Regulation (EU) 2025/1476 under Regulation 269/2014, citing its 49.13 percent Rosneft ownership and role in facilitating Russian oil-revenue flows through exports of refined products. While the company maintains that it is an Indian entity governed by Indian law, its inclusion on the EU sanctions list subjected it to a “stringent ‘asset freeze’ measure.” Listing means an asset freeze within EU jurisdiction and a prohibition on making funds or economic resources available to the listed entity.

Nayara’s listing triggered commercial disruptions for the company and its clients and partners. Shippers and insurers backed away, the firm reportedly cut refinery runs, and tanker logistics got messy. And, within days, Microsoft services used by Nayara (Outlook/Teams, and broader Microsoft 365 suite) were suspended, according to court filings and press reports.

The commission’s standing FAQ on asset freezes spells out why this might have happened: “Labour and services can be considered as economic resources.” In other words, services—including IT and cloud—can fall under the ban if they “make an economic resource available” to a listed person or company. There are licenses and exceptions in specific contexts, but the default is: Don’t provide services and resources.

Nayara sued in the Delhi High Court, alleging abrupt, unilateral suspension without notice. The shutdown clearly impaired day-to-day operations. The company’s legal filing argued that Microsoft had no legal requirement to take this action under U.S. or Indian law, and that it was attempting to extend a foreign [EU] legal framework into a jurisdiction where it had no applicability. The government of India’s official response echoed this sentiment, stating that it “does not recognise unilateral sanctions.”

In a surprising turn of events, and just before a scheduled hearing in the Delhi High Court, Microsoft “backed down” and restored all services to Nayara. A Microsoft spokesperson confirmed the restoration and stated that the company was “engaged in ongoing discussions with the European Union towards service continuity for the organisation.” That acknowledges a conversation with EU authorities—not necessarily an order—to clarify the lawful boundary between a prohibited “economic resource” and services that might be permitted.

There is no public evidence the EU issued a bespoke command to Microsoft either to cut or to restore services. Instead, the cutoff appears to have been part of the general legal effect of listing. EU persons (including EU subsidiaries of non-EU companies) may not make funds or economic resources available to a listed person. A conservative compliance stance by an EU-based Microsoft entity (or operations involving EU staff or infrastructure) likely led to a temporary shutdown unless a lawful path (for instance, an exemption or an exception) is identified.

The restoration appears to have followed dialogue (Microsoft’s words) between Microsoft and the EU, and parallel court pressure in India. But, to date, a published EU comfort letter or license has not been put on the record; if one exists, it hasn’t been made public.

An explicit order to cut off Nayara, or one to restore services, isn’t necessary to explain why events unfolded the way they did. EU sanctions apply to EU persons and within EU territories and jurisdictions. But for a multinational with intertwined support, shared code, and EU staff in the loop, the cleanest way to avoid a violation can be to suspend globally first and ask questions later—especially when the EU Commission’s guidance treats “services” as economic resources. That seems to be a method of risk management. Afterward, the company can carve out a compliant operating mode. As an example, Microsoft’s June sovereign-cloud controls (Data Guardian, external key-management service, EU-resident access oversight) exist precisely to make these carve-outs easier.

Did Europe flip a kill switch when it listed Nayara? If “kill switch” means a bespoke, discretionary order to shut one company’s IT off, the public record doesn’t show that. But what Europe did do—list a company under asset-freeze rules that treat all services as “economic resources”—created a legal environment in which a provider’s prudent reaction looks exactly like a kill switch to the customer on the other end of the wire. In essence, the EU did not need to issue a direct order; its sanctions created compliance obligations that led a provider to pause services pending legal clarity.

Even as Europe worries that a U.S. administration might force a shutdown from Washington, the EU’s own listing action, coupled with its economic-resources doctrine, predictably triggered a shutdown from Brussels’s legal perspective.

The Kill Switch Pattern

The Nayara Energy incident is not an outlier. It is the latest reminder that what is called a kill switch can be activated—directly or indirectly—by multiple jurisdictions, not only the United States. That reality exposes a more difficult and complex problem for global commerce: the ever-present threat of conflicting legal frameworks.

Over the past decade there have been several episodes that look and feel like a digital kill switch (think of GitHub-Iran, Huawei-Google, and Crimea app-store/payment curbs, among others). Three are especially instructive here—each showing how policy, platforms, and jurisdiction combine to turn services off (and sometimes back on).

In April 2022, the Amsterdam Trade Bank (ATB), a Dutch bank with a Russian parent company, was declared “solvent but bankrupt.” Its failure was not due to financial insolvency but to a “financial boycott” triggered by U.S. and U.K. sanctions on its parent, Alfa Bank. Critically, ATB’s bank accounts at Deutsche Bank, ING, and UBS were blocked and many of its digital services providers indicated they could not continue supporting the bank. This cutoff crippled the bank’s operations, leading to its demise. The EU did not directly sanction ATB, yet a bank operating within the EU was effectively taken down by the extraterritorial effect of U.S. and U.K. sanctions.

In October 2019, Adobe announced it would shut off Creative Cloud/Document Cloud in Venezuela to comply with a U.S. executive order—an immediate, country-wide loss of productivity tools. Within weeks, after “discussions with the U.S. government,” Adobe secured a license and restored service, a classic suspend-first, license-later arc. In this case, like in the Nayara Energy incident, a global vendor pulled services to avoid sanctions risk and then reenabled them once a lawful path was clarified.

In November 2018, Belgium-based SWIFT suspended some Iranian banks’ access to its messaging system—calling it “regrettable” but necessary for the “stability and integrity” of the financial system. The EU publicly expressed regret, while U.S. secondary-sanctions pressure loomed in the background. Whatever you call it, that’s a functional kill switch for international payments.

These cases demonstrate that the narrative among European policymakers needs to move beyond a binary U.S.-EU frame to a genuinely polycentric one. Europe is right to worry about dependencies that can become vulnerabilities; the case for strategic autonomy is real. But focusing only on a hypothetical American “plug-pull” is incomplete. The EU, the U.K., the U.S., India, and other jurisdictions all wield legal instruments—including sanctions, export controls, and trust-infrastructure rules—that can precipitate service interruptions. Many hands can pull a plug. While it is clear that historically a kill switch has been used very rarely and in a narrow and targeted manner, theoretically, and depending on the circumstances, the switch might be accessible to more than one major power, creating a complex and unpredictable global digital environment for operators and users alike.

The Nayara, ATB, Adobe, and SWIFT cases expose the difficult and complex situations of conflicts of laws that global corporations can face. Complying with one jurisdiction’s regulations may mean noncompliance with another’s. The current geopolitical climate, characterized by the rise of economic blocs and a growing emphasis on strategic autonomy, makes this situation more challenging.

However, acknowledging the case for strategic autonomy and digital sovereignty does not imply embracing total fragmentation. The idea that each country should build an independent, “air-gapped” stack is, in most contexts, economically inefficient and technologically brittle. It duplicates fixed costs, sacrifices scale and network effects, and still leaves cross-border touchpoints—updates, security telemetry, supply chains, certificates—where the same conflicts will reemerge. Apparent isolation can also increase cyber risk by foregoing the velocity of global patching and collective defence. 

Toward Proactive, Cooperative Solutions

The episodes above—Nayara included—show that technical fixes alone will not suffice. What is missing is legal architecture capable of managing cross-border collisions. Like-minded democracies should articulate common principles and procedures so that necessary measures bite where intended, while essential digital functions remain lawful, reviewable, and minimally interruptible.

The regime should be open, transparent, and nondiscriminatory, developed with Group of 20/Organization for Economic Cooperation and Development (OECD) democratic partners and other willing jurisdictions—not as a closed transatlantic exercise. The aim should be to reduce collateral damage and legal uncertainty wherever sanctions or other public law measures—of any jurisdiction—have cross-border effects.

A principles-based template already exists. The OECD’s work on government access to data held by private entities offers a useful, inclusive model: Shared commitments to legality, legitimate aims, necessity and proportionality, oversight, transparency, and redress can sustain trust across borders without forcing “data nationalism.” A sanctions-conflicts regime could borrow the same logic. Its operational core could set shared definitions for how sanctions might apply to digital services, enable rapid authority-to-authority coordination, protect essential-service and humanitarian continuity, and guarantee basic due process and transparency.

At the purely transatlantic level, the EU and the United States have already taken a procedural path in the related field of cross-border government access to electronic evidence. EU and U.S. officials launched negotiations in September 2019 on a bilateral e-Evidence agreement; these talks advanced from March 2023 to October 2024, and—even if currently stalled—left a workable template for reconciling overlapping commands through government-to-government instruments.

For now, outright sanctions-driven suspensions of core digital services remain rare. Precisely because they are exceptional, democracies should resist normalizing kill-switch solutions or building policy around routine service cutoffs. The wiser course would be to keep shutdowns as a last resort, while prioritizing cooperative legal arrangements that limit spillovers and protect essential continuity.

Today’s geopolitical climate is not propitious for sweeping accords; in particular, transatlantic trade and industrial-policy frictions may slow progress. Yet the structural pressures—more economic blocs, more targeted and national-security-based sanctions, more unilateral measures—will create even more challenges. That is why the groundwork should begin now—with legal scholarship, technical working groups, and quiet diplomacy—so that when politics allow, a new digital compact can be concluded quickly.

The Nayara incident is a wake-up call: The fear of a kill switch and the capacity to wield one can coexist in the same polity. The task is to discipline power with law—to build a system in which, among democratic partners, no one can exercise that power unilaterally and without recourse. In an interdependent digital world, the sustainable path is cooperation and negotiated rules, turning the kill switch from a blunt geopolitical weapon into a tool of last resort governed by clear, international principles.