Microsoft 365 8 min read

Copilot Flex Routing: How Microsoft sends your EU data to America 

Copilot EU DATA BOUNDARY GDPR-NIS2-DORA MC1269223
Copilot Flex Routing: How Microsoft sends your EU data to America 
⚠️ Deadline: April 17, 2026 — Changes take ~1 week to become active. Act now, not tomorrow.

Why this article, why now

It was one of those Monday afternoon situations. I opened the Message Center to collect material for the next M365 News episode — and then I stumbled across MC1269223. Looks harmless in the subject line. But for every EU admin who has Copilot running, this one has real impact.

From April 17, 2026, Microsoft enables Flex Routing for all EU and EFTA tenants by default. The name sounds like a minor technical thing. It is not. It is a fundamental decision about data sovereignty — and most admins have not looked at it yet.

The tricky part: Microsoft expects you to check the setting yourself and decide if it fits your organisation. If you don’t look, it is on. And then Copilot might be processing your prompts in the US, Canada, or Australia — without anyone actively agreeing to that.

What is Flex Routing anyway?

Flex Routing allows EU and EFTA customers to let LLM inferencing happen outside the EU Data Boundary when demand is too high during peak times — to keep the Copilot experience running smoothly.

🔍
What is inferencing?

Inferencing is the step where the large language model actually processes your prompt and generates a response. Before that happens, your prompt has already gone through preprocessing, safety checks, and RAG — meaning your company data, emails, files, metadata, and system prompts are already bundled together. When Flex Routing kicks in, this complete package gets processed outside the EU.

That is the point that matters from a compliance perspective. Not the data transport itself — but that in the moment of AI processing, the full context bundle can leave the EU. When Flex Routing is on, that can happen in the US, Canada, or Australia.

Microsoft’s commitment — what holds, what doesn’t

To be fair: Microsoft is transparent about this. There are real protections in place. Data is encrypted in transit and at rest, no matter where LLM inferencing happens. Data at rest stays inside the EU Data Boundary — except for limited pseudonymised data used for security and operational purposes.

So: your data is not moving permanently. It gets processed outside, the result comes back, the storage stays in the EU.

⚠️
What Microsoft does NOT guarantee

That no personal data is processed outside the EU in that moment. The regulatory question is not “is the data encrypted?” The question is: “Can you prove that no processing happened outside the EU during a specific period?” If Flex Routing is on and you have not checked it, the honest answer is: not easily.

The EU Data Boundary — the foundation

The EU Data Boundary makes sure that customer data is stored and processed within EU/EFTA regions. Flex Routing is a deliberate exception to that — built for capacity bottlenecks, switched on by default. For Germany, in-country processing for Copilot is announced for 2026. Until then, Flex Routing is the reality.

The hope: Bergheim, Bedburg, Elsdorf

On March 12, 2026, the groundbreaking ceremony for the Microsoft data centre cluster in the Rhenish mining region took place — under the motto “AI for Germany”. Where brown coal excavators shaped the region for decades, digital infrastructure is now being built.

Rhenish Region · NRW, Germany · Groundbreaking March 12, 2026
Locations
Bergheim · Bedburg · Elsdorf
Investment
3.2 billion euros
Type
Hyperscale data centres
Goal
Cloud & AI capacity for Germany

The connection to Flex Routing is direct: Flex Routing is a pressure valve for capacity shortages. More EU capacity means fewer situations where Microsoft needs to fall back on it at all.

⚠️
Assumption — no official timeline

Microsoft has not communicated an official completion date. Hyperscale projects of this size typically take 2–4 years from groundbreaking to full operation — realistically that means earliest 2028. Until then, Flex Routing stays in the toolbox, and the admin toggle is the only control you have today.

What is actually happening in the background?

The data flow of a Copilot prompt

Step 1
Prompt arrives
User writes a question in Teams, Word, Outlook, etc.
Step 2
Graph query
Copilot pulls relevant data via Microsoft Graph: emails, documents, calendar, chats.
Step 3
Context assembly
Prompt plus company data gets bundled into one context package.
Step 4 — critical
Inferencing · this is where Flex Routing hits
The complete context package can now go to the US. Emails, files, metadata, system prompts — all bundled, processed outside the EU. Even if it only takes seconds.
Step 5
Response delivered
Result goes back to the user. Interaction data stored at rest inside the EU.

The Anthropic factor

At the same time there is MC1269241: Microsoft is enabling Anthropic models (Claude) for Copilot in Word, Excel, and PowerPoint. EU, EFTA, and UK tenants have this disabled by default — because Anthropic processing happens outside the EU Data Boundary.

⚠️
Double compliance hit

Two default-on changes, both with compliance relevance, both landing in the same week. MC1269223 (Flex Routing) and MC1269241 (Anthropic models) need to be evaluated separately — don’t treat them as one thing.

How you step in as an admin

The two options, compared

Setting What happens Who should use it
ON · Default
Allow flex routing		 Inferencing can happen in US, Canada, or Australia during peak load. Better availability, but processing may leave the EU. Only if GDPR/NIS2/DORA are not a factor — and you have documented that decision consciously.
OFF · Recommended
Do not allow flex routing		 LLM inferencing always stays inside the EU Data Boundary. Possible trade-off: slightly higher latency in real peak situations. Recommended for all regulated industries and anywhere GDPR compliance needs to be clean.

Step by step: how to disable Flex Routing

1
Open the M365 Admin Center
Go to admin.cloud.microsoft — you need the role AI Administrator or Global Administrator.
2
Copilot → Settings
Click Copilot in the left menu, then select Settings.
3
View all → Flexible inferencing during peak load periods
Click “View all” until the setting becomes visible.
4
Select “Do not allow flex routing” and save
Pick the radio button → click Save. “Changes saved” confirms it.
5
Check the Power Platform Admin Center
admin.powerplatform.microsoft.com — the M365 setting is inherited unless a more restrictive one is already set there. To be safe: check both.
6
Evaluate Anthropic models separately (MC1269241)
Copilot → Settings → View All → “AI providers operating as Microsoft subprocessors” — make a decision and document it.
⚠️
Important: ~1 week delay

Microsoft explicitly states that changes take up to one week to fully take effect. Don’t wait until April 16 — set it now.

Watch out for…

📋
Regulated industries

For financial services (DORA), critical infrastructure (NIS2), healthcare, and public sector, Flex Routing is not acceptable in most scenarios. Not because encryption is missing — but because you cannot prove that no processing happened outside the EU.

📋
Multi-Geo exception

The Flex Routing setting is not available for customers who have Multi-Geo capabilities — even if the tenant is in an EU/EFTA country. Multi-Geo customers have different mechanisms for location control.

📋
Document your decision

Whatever you choose — write it down. Date, who decided, legal basis. This is DPIA-relevant and exactly what auditors will ask for.

Practical check

How you know it is working

  • Setting shows “Do not allow flex routing” with saved status
  • Power Platform Admin Center is configured consistently
  • Anthropic subprocessor setting has been consciously reviewed
  • Decision is documented internally with date and reasoning

If it doesn’t work — check these 3 things

1
Wrong role
Only AI Administrator or Global Administrator can save the setting. With other admin roles you can see it but not change it.
2
One week delay
Changes take up to 7 days to kick in. That is not a bug — just wait it out.
3
Forgot Power Platform
Dynamics 365 and Copilot Studio have a separate setting in the Power Platform Admin Center. Check both.
☕ Wrap-up · Ferdi-Style

What sticks

Flex Routing is not a hidden attack on GDPR. It is a pragmatic capacity solution from Microsoft — communicated transparently, with real encryption, with a clear admin toggle. But: the toggle is on by default.

For many companies outside regulated industries that might be fine. For finance, healthcare, public sector, and critical infrastructure — this is not something you just let run without a decision.

The real problem is not the feature itself. It is the speed at which Microsoft rolls out these defaults — combined with the Message Center noise that most admins simply cannot go through every single day. The NRW data centres are the structural answer to that problem. But they come earliest in 2028.

Espresso-Moment

Microsoft gives you the switch — but you have to go and flip it yourself. If you don’t, you haven’t made a conscious decision. You just said yes by doing nothing.

Checklist: Flex Routing & EU Compliance

  • MC1269223 read and understood in the Message Center
  • Flex Routing setting checked in the M365 Admin Center
  • Decision (on/off) documented internally with reasoning
  • Power Platform Admin Center checked for consistent setting
  • Anthropic subprocessor setting (MC1269241) evaluated separately
  • Legal and compliance team informed (GDPR, DORA, NIS2)
  • Change applied at least 7 days before the deadline — so now

Have you already checked the setting? Drop me a message on LinkedIn — I am curious how many EU tenants still have this open.

Ferdi Lethen-Oellers
Written by Ferdi Lethen-Oellers Microsoft MVP

Senior Modern Workplace Consultant at amexus · Speaker · Author of “Microsoft 365 Administration für Dummies”. I make M365 understandable — no buzzwords, no filler.