Oireachtas Picks Microsoft as EU Demands Digital Sovereignty

Sinn Féin TD Máire Devine used to have a landline phone in her office at Leinster House. She no longer does. “All gone. All gone,” she said, speaking via her mobile one Tuesday afternoon last month. The Houses of the Oireachtas have moved the parliamentary phone system onto Microsoft Teams, completing a transition that began during the Covid period and accelerated last year. For Devine, the result is something she does not quite know what to call. “Is it a telephone?” she asked. “It just all of a sudden, this appeared.”

The shift, which places Ireland’s parliament deeper inside Microsoft’s product stack than at any point in its history, comes as Europe has signed a declaration committing to reduce dependence on US Big Tech. It also runs alongside France’s decision to migrate its civil service off Windows, and the European Commission’s new market investigation into cloud hyperscalers. Independent Senator Alice-Mary Higgins, who has raised the issue in committee, says the move has gone unexamined. “Even our phone systems on Microsoft Teams,” she said by email in early June.

The Phones That Stopped Being Phones

The switch is part of a wider shift in which the Oireachtas has been adopting Microsoft systems to handle the day-to-day work of parliamentarians, Higgins said. That has included using Microsoft software for emails, document storage and internal messaging, she said. The migration now extends to the telephone, with members placing and receiving calls through the Teams client on the laptops and PCs the Oireachtas provides.

The change was first flagged in the Oireachtas 2024 service action plan as part of an effort to modernise the parliament’s infrastructure. Led by the Oireachtas’s Information and Communications Technology team, the telephone migration was scheduled for delivery in the second quarter of 2024. Fianna Fáil TD Catherine Ardagh, a current member of the Houses of the Oireachtas Commission, said on Friday that the move pre-dated her appointment to the commission. Members had been using Teams for years, including throughout the Covid period, she said, “albeit, primarily on desktop devices rather than as the integrated telephony platform now in use.”

Microsoft is the standard provider of software for the Houses of the Oireachtas, with each of its members provided a laptop and PC that include Windows 10, Office 365, Outlook and Teams, according to the Oireachtas website. Labour TD Robert O’Donoghue’s office sits in the middle of the transition. “We still have a landline. I think it’s set up to operate on Teams,” he said. “Teams seems to function well, even if it’s just handier to use my mobile when making calls.”

O’Donoghue’s office still uses a physical handset. “My staff sometimes use the landline. But I don’t,” he says. The Oireachtas service, asked for the reason it was rolling the change out, did not respond to emails sent on 19 and 26 June. Higgins, the senator, said she had grown used to Microsoft Teams as one way of communicating, “but the telephones really were something that was just a different level of concern.” Allowing the Oireachtas telephone systems to be dependent on a particular software provider is something that needs to be reviewed, she said on Monday.

The concern extends beyond telephony. “Even the fact of having so many systems dependent on a single provider is in itself something that maybe might seem straightforward from a procurement perspective,” Higgins said. “But maybe it merits more consideration.” The Oireachtas service did not publish a rationale for the switch.

Until that has really been carefully examined, we need to have a question mark around moving these telephone systems online.

The Tide Running the Other Way

The EU’s member states gathered in Berlin late last year to sign the Declaration for European Digital Sovereignty, a Franco-German summit designed to set the political direction for Europe’s digital future. The Paris AI Action Summit earlier in 2025 had set the stage, and the Berlin meeting produced concrete commitments on data protection, cloud competition, open-source adoption, and AI. France and Germany also used the summit to launch a joint task force on European digital sovereignty, with a remit to develop sovereignty indicators in cloud services, artificial intelligence, and cybersecurity. The results of that work are due at the Franco-German Council of Ministers in 2026. For now, the declaration has given Europe’s digital sovereignty push a name and a roadmap.

Several practical steps have already followed. The European Commission has launched a market investigation into the qualitative designation of cloud hyperscalers, the small group of mostly American companies that host most of Europe’s data. France’s Directorate for Digital Affairs has mandated that the civil service wean off Microsoft Windows and move to the Linux operating system “to protect digital sovereignty,” as O’Donoghue put it. Linux is an open-source alternative that several governments now see as a way to reduce reliance on a single provider, and, as O’Donoghue noted, “encourage the use of EU-based alternatives.” Ireland, for its part, has signed the Berlin declaration but is moving its own parliament in the opposite direction.

European digital sovereignty by the numbers

  • 27: EU member states that signed the European Digital Sovereignty declaration
  • 18 November 2025: date the declaration was signed, at a Franco-German summit
  • 900+: policymakers, industry leaders and civil society representatives at the summit
  • 12 billion euros: private investment in European tech pledged at the summit

When Khan’s Inbox Went Dark

The European pushback had a single triggering moment. In early 2025, US President Donald Trump signed an executive order sanctioning the International Criminal Court after it had issued a warrant for the arrest of Israeli Prime Minister Benjamin Netanyahu for war crimes and crimes against humanity. ICC Chief Prosecutor Karim Khan soon lost access to his Microsoft email. A spokesperson for Microsoft said “at no point did Microsoft cease or suspend its services to the ICC.”

The order’s significance was that it demonstrated a US administration could use sanctions to cut a sanctioned foreign official off from the tools they used to do their job, even if those tools were provided by a private company. After Khan was disconnected, the ICC confirmed it was moving away from Microsoft altogether, to a German alternative. Microsoft later said it does not provide any government with “direct, unfettered access” to its customer data, and that any data access request is subject to rigorous legal review. The Khan case nevertheless hardened European conviction that the risk was real, and that dependence had a price.

Liliana Pasquale, an associate professor at the school of computer science in University College Dublin, raised the geopolitical dimension at the Oireachtas AI committee in April. “There are also geopolitical threats because the US could be targeted by third countries, which could target US products that are also used in Europe,” she said. The US and EU have different regulations, Pasquale added, pointing to a French Senate hearing last June at which Anton Carniaux, director of public and legal affairs for Microsoft France, reportedly said the company could not guarantee data sovereignty to European customers.

Warnings From the Committee Room

Higgins voiced her concerns at the same committee, the Joint Oireachtas Committee on Artificial Intelligence, on 21 April. The meeting focused on defence, security and cyber security. “The Oireachtas and a number of government departments were moving all of their telephone systems onto Microsoft Teams,” she said. “Is that a security risk that we should be examining?”

Pasquale, who appeared at the same hearing, said the use of Microsoft products in public, university and other organisations poses a tremendous number of threats. “They have been aggressively integrated without sufficient testing, I believe, as demonstrated by recent attacks,” she said. She pointed to the academic case study on the EchoLeak Copilot exploit, the first real-world zero-click prompt injection exploit in a production AI system, a vulnerability in Microsoft 365 Copilot disclosed in June 2025 by Aim Security.

EchoLeak let an attacker send a single crafted email and, without any user action, trick Copilot into exfiltrating sensitive data to a server controlled by the attacker. Microsoft assigned CVE-2025-32711 to the flaw and issued emergency patches. The case has become a reference point for critics who argue that AI integrations in productivity software widen the attack surface in ways the existing security stack was not designed to handle. “The company can access personal data and potentially violate General Data Protection Regulation,” Pasquale said at the committee in April.

A Microsoft spokesperson pushed back, saying the company’s products are rigorously tested before deployment, fully GDPR compliant, and designed to give organisations full control over how their data is managed. “This is backed by contractual safeguards and commitments to store and process data in the EU,” the spokesperson said. The Oireachtas service, asked for the reason it was rolling the change out, did not respond to emails sent in June.

Copilot, Councils, and the Exit That Gets Harder

Copilot, Microsoft’s generative AI chatbot, has been quietly moving into Irish public administration alongside Teams. Dublin City Council, as of June 2025, had seven Copilot licences for its use, according to a separate Dublin Inquirer report. More recently, on 14 April, Minister for Housing, Local Government and Heritage James Browne confirmed that his department is trialing Copilot Chat via Microsoft Teams as a potential technology to assist in productivity. His department has both an AI policy and a governance committee that provides guidance on the responsible use of the tool, he said, with AI training mandatory as part of the deployment.

O’Donoghue’s office has not taken the same step, with his staff opting not to use Copilot at all. The split illustrates the patchwork that has emerged inside Irish public life as Copilot becomes available, with some bodies adopting it and others declining. The risk, Pasquale said at the Oireachtas AI committee in April, is that Copilot itself is now an attack surface. “Attacks to Microsoft Copilot and its related tools have already been documented,” she said. European alternatives are now part of the same push, with new Linux-based European smartphone projects among them.

It is also risky to be overly reliant on a single provider. It makes an exit strategy more difficult in the future.

Pasquale, the UCD computer science academic, made the comments by phone on Friday. Ardagh, the Oireachtas Commission member, said the move to Teams telephony pre-dated her time on the commission. Asked whether the wider stack of Microsoft products inside the parliament has ever been reviewed, the Oireachtas did not respond.

Leave a Reply

Your email address will not be published. Required fields are marked *