Walk through any Luxembourg bank and you will see the same logos again and again: Microsoft 365, Teams, Azure‑hosted services, US‑based ticketing and CRM platforms. Individually, each choice was rational. Collectively, they form a concentration risk that is both operational and legal.
From an operational angle, a single vendor outage can disrupt identity, email, collaboration, document management, even customer‑facing workflows. From a legal angle, Schrems II reminds you that using a US hyperscaler is not just a contract question; you are required to assess third‑country laws and stop transfers if adequate protection cannot be ensured. Those are not edge cases—they are board‑level risks.
The problem is not “Microsoft is bad”. The problem is having no credible alternative path if the legal landscape or your own risk appetite changes. Most continuity plans assume “Microsoft is there, just degraded”. Very few simulate “Microsoft is there, but legally unusable for certain data or workloads”.
If your main SaaS vendor became non‑compliant under EU law next quarter, what would you actually do in week one? How long would it take before customer‑facing services, internal approvals, or regulatory reporting start to grind?