The question is no longer taboo. It surfaces in board meetings, procurement frameworks, and informal conversations amongst digital leaders: is it really possible to move away from Microsoft 365? And, more to the point, should you? For years, the very idea was treated as impractical — Microsoft 365 was the “default standard”, the unquestioned foundation of the modern workplace. That is no longer the case. Between successive price increases, a hardening European regulatory framework and the growing maturity of French sovereign alternatives, the question now deserves a serious, well-informed and honest answer. Neither ideological nor purely commercial.
This article does not claim that leaving Microsoft 365 is straightforward. What it offers instead is a structured decision-making framework for CIOs, CISOs and digital transformation directors who wish to evaluate this scenario with rigour and clarity.
A question that is no longer taboo and for good reason
Several signals have converged in recent years to place Microsoft 365 back on the table as a strategic question, not merely a technical one.
The first is financial. Between 2022 and 2025, Microsoft implemented several significant price increases across its Microsoft 365 licences, in some cases approaching 20% in a single year on certain plans. For large organisations counting their licences in thousands or tens of thousands of seats, the budgetary impact is direct and increasingly difficult to absorb without questioning the scope of the existing contract.
The second is geopolitical and legal. The international context has sharply reminded many French and European organisations that they are running digital infrastructures under extraterritorial dependency. The US CLOUD Act is not an abstract legal technicality reserved for specialists — it is an operational reality affecting every organisation that uses the services of a company subject to US law, regardless of where those servers are physically located.
The third is regulatory. NIS2, DORA, the Restricted Distribution classification for sensitive organisations, and the SecNumCloud requirements increasingly appearing in public procurement tenders: the regulatory environment now imposes levels of data control that are structurally incompatible with a total dependency on a provider subject to foreign law.
What Microsoft 365 covers and what it cannot guarantee
Before discussing migration, it is essential to be precise about what Microsoft 365 does, and what it is structurally incapable of guaranteeing — not through technical inadequacy, but through legal construction.
Microsoft 365 covers an extremely broad functional spectrum: email (Outlook), office productivity suite (Word, Excel, PowerPoint), team collaboration (Teams), file storage and sharing (SharePoint, OneDrive), video conferencing, basic project management (Planner), and more recently, AI-powered features through Copilot. It is a coherent ecosystem, deeply integrated with the Windows workstation, whose adoption tends to become irreversible after a few years of intensive use.
What Microsoft 365 cannot guarantee, however, comes down to a single line: the legal sovereignty of your data. Microsoft is a US company. As such, it is subject to the CLOUD Act and FISA, which allow US federal authorities to compel access to data held by Microsoft, wherever in the world that data physically resides. European data centres, contractual data localisation clauses, ISO 27001 certifications: none of these measures changes the fundamental legal reality. As our analysis on protecting executive data makes clear, this structural limitation is precisely what makes Microsoft 365 unsuitable for certain sensitive perimeters, entirely independently of any performance or pricing consideration.
The real decision criteria beyond the feature comparison
When evaluating an alternative to Microsoft 365, the temptation is to compare feature sets line by line. This is a useful exercise, but an insufficient one. The criteria that genuinely drive a sound migration decision are of a different order.
The nature of the data being processed
Not all data warrants the same level of protection. The executive committee’s discussions on a potential acquisition do not carry the same sensitivity as a holiday booking spreadsheet. The right question is not “Should I leave Microsoft 365?” but rather “Which information flows in my organisation require a level of protection that Microsoft 365 cannot provide?” This is a risk-based approach, not a tool-based one.
The regulatory profile of the organisation
A local authority subject to SecNumCloud eligibility requirements, an NHS-adjacent body subject to data protection obligations, a critical infrastructure operator subject to NIS2: each organisation carries different obligations, and each must assess the compatibility of its tools with those obligations before any other consideration.
Actual functional dependency
How many employees genuinely use Word for complex documents requiring advanced formatting? How many use Excel for sophisticated financial modelling? The honest answer is often far lower than the total number of licences. Identifying the true power users of the office productivity suite allows the migration effort to be sized accurately — and, in most cases, significantly reduced.
The organisation’s readiness for change
Change management is consistently underestimated in migration projects. As our analysis on the end of the intranet and internal email shows, resistance to a change of tool is not a matter of habit but of trust: employees need to understand why the change is happening and to perceive a direct benefit in their daily work.
The CLOUD Act: the legal obstacle that European data centres cannot resolve
This is the most frequently misunderstood point, and the most important one for a CIO or corporate lawyer to get right.
When Microsoft hosts your data in a data centre located in France, Germany or the Netherlands, this does not alter the legal nationality of the entity operating that service. Microsoft Ireland Operations Ltd, which provides Microsoft 365 services across Europe, is a subsidiary of a US company. As such, it remains subject to the CLOUD Act, which enables the US government to access data regardless of its physical location.
Initiatives such as Microsoft EU Data Boundary bring genuine contractual improvements, but do not constitute absolute legal protection. The UK Information Commissioner’s Office, along with data protection authorities across the EU, has repeatedly signalled that transfers of data involving entities subject to US law remain problematic, even with contractual safeguards in place.
For organisations handling sensitive data (strategic information, health records, classified information, data relating to national interests), this limitation is not a legal footnote. It is a fundamental incompatibility with their obligations.
Full migration or a sovereign-layer strategy: two distinct approaches
A complete migration away from Microsoft 365 is achievable, but it is lengthy, costly and technically complex. It requires simultaneously replacing email, the office productivity suite, file storage, video conferencing and collaboration tools. For the vast majority of organisations, this is not realistic in the short term.
A more immediately actionable approach exists: the sovereign-layer strategy. This involves retaining Microsoft 365 for standard productivity use cases (Word, Excel, PowerPoint) that do not involve highly sensitive data, whilst replacing the collaboration, internal communication and sensitive project management layer with a qualified sovereign solution.
This approach has several advantages. It is incremental and does not require a large-scale simultaneous migration. It targets the highest-risk use cases precisely (executive exchanges, sensitive project discussions, structurally important internal communications), rather than attempting to replace an entire ecosystem in one move. And it immediately reduces exposure to the most critical legal and cybersecurity risks.
This is indeed the approach taken by many organisations that have deployed Whaller DONJON not as a replacement for their existing information system, but as a sovereign layer dedicated to exchanges that cannot afford any security compromise.
What Whaller covers
Transparency on this point is a prerequisite for trust.
Whaller is a sovereign Digital Workplace, designed to cover collaboration, internal communication and team-working use cases. Here is what it covers in practice:
- Internal communication: activity feeds, thematic spheres, surveys, events, announcements, internal newsletters
- Team messaging: instant and asynchronous discussions in compartmentalised, access-controlled spaces
- Video conferencing: integrated video meetings with automatic meeting minutes generated by Whaller (IA)ssistant
- Document management: file storage, sharing and organisation by sphere, with Whaller Drive 2.0 and Whaller Signature (eIDAS-compliant electronic signing)
- Project management: task Kanban boards, shared calendars, accountability tracking
- Integrated AI: conversation summaries, automatic task generation, meeting transcription and minutes, MCP server for advanced automation
- Office suite: included in every Sphère box, the Whaller 365 office suite enables all members of the network to collaborate effectively and in real time.
- Extended network: secure extranet for partners, federations and external contributors via visitor spheres
SecNumCloud qualification: what it means in practice for your IT team
For organisations subject to high security requirements (public administrations, local authorities, operators of essential services, healthcare institutions, defence sector companies), the SecNumCloud qualification awarded by France’s national cybersecurity agency, ANSSI, is the most rigorous security standard available in France for cloud services.
Whaller DONJON is the first and only French collaborative platform to have obtained SecNumCloud 3.2 qualification from ANSSI and one of only three qualified collaborative SaaS solutions in France. This qualification covers both the infrastructure layer (OVHcloud, SecNumCloud-qualified at IaaS level) and the application software (Whaller DONJON, SecNumCloud-qualified at SaaS level), with no grey zone between the two layers.
In practice, this means the following for a CIO or CISO:
- A direct response to public procurement requirements that mandate SecNumCloud qualification
- Structural immunity from extraterritorial legislation, including the US CLOUD Act
- Physically dedicated hosting per organisation, with no data pooling between clients
- End-to-end encryption of communications and documents
- Comprehensive access logging to meet audit and compliance requirements
For organisations that do not require the DONJON level of security, Whaller’s Business and Enterprise plans offer a level of data control significantly higher than American platforms, at pricing accessible to mid-sized companies and public sector bodies of moderate scale.
Where to start: three concrete steps
Beginning a migration review does not mean changing everything tomorrow. The following three initial steps allow organisations to move forward methodically and without undue risk.
1. Map sensitive information flows
Before selecting any tool, a diagnostic is required. Which exchanges within your organisation involve strategic, confidential or regulatory-sensitive information? Do those flows currently pass through Microsoft 365? In what form? This mapping, carried out jointly by the CIO and CISO, is the prerequisite for any informed decision. It draws usefully on frameworks such as the Digital Resilience Index (IRN), which enables organisations to assess their level of digital dependency.
2. Identify a first pilot scope
Incremental migration is the only approach that consistently succeeds. Identifying a first perimeter — a leadership team, a sensitive project, a legal department — and deploying a sovereign solution within that scope allows organisations to validate user adoption, refine processes and measure concrete gains before broadening the deployment. Our guide on deploying a Digital Workplace sets out this phased approach in detail.
3. Assess the real cost of inaction
The cost of a migration is visible and straightforward to calculate. The cost of not migrating is far less so: legal exposure in the event of a CLOUD Act compulsion, cumulative licence costs over three to five years, regulatory risk in the event of NIS2 or DORA non-compliance, and reputational risk in the event of a data security incident involving sensitive information.
FAQ — Frequently asked questions about moving away from Microsoft 365
Is it possible to migrate gradually rather than switching everything at once?
Yes, and that is indeed the recommended approach. The sovereign-layer strategy involves replacing the most sensitive collaboration and internal communication use cases first, whilst retaining the Office productivity suite for those who genuinely require it. Whaller is designed to integrate with the existing ecosystem rather than impose itself as a wholesale replacement.
Does Microsoft 365 Business Premium not already offer a sufficient level of security?
Microsoft 365 Business Premium brings meaningful improvements in workstation security and identity management. However, it does not address the fundamental legal question of the CLOUD Act: the entity operating the service remains subject to US law, regardless of the security option subscribed to. For sensitive or strategic data, this does not meet the protection requirements set by French and European regulatory frameworks.
Does Whaller replace Teams for video calls?
Whaller includes native video conferencing functionality within its spheres, with automatic meeting minutes generated by Whaller (IA)ssistant. For organisations making intensive use of Teams specifically for video calls involving large numbers of external participants, a case-by-case evaluation is recommended.
What is Whaller’s certification level?
Whaller DONJON holds SecNumCloud 3.2 qualification from ANSSI — the most rigorous cloud security standard in France — covering both infrastructure and application software. Business and Enterprise plans benefit from sovereign hosting at OVHcloud in France, with no exposure to extraterritorial legislation.
How long does a Whaller deployment take?
A pilot deployment covering a targeted scope can be operational within a matter of days. A full deployment across an organisation of intermediate size (200 to 500 users) typically takes four to eight weeks, including configuration, administrator training and change management support.
Further reading
- Blog: Whaller vs Microsoft Teams: a complete comparison
- Website: Whaller DONJON — SecNumCloud 3.2 collaborative platform
- Website: Discover Whaller’s sovereign Digital Workplace
📅 Sign up for free and discover Whaller I 👉 Request a demonstration I 📩 Need advice? Contact us!
0 Comments