Microsoft just switched on data boundary exceptions for your Copilot tenant WITHOUT ASKING!
If your organisation's in the EU or EFTA and you're running Microsoft 365 Copilot, there's a change you must know about, and you've got until 17 April 2026 to act on it.
On the surface, this sounds practical; however, in reality, it creates a compliance problem that is harder to dismiss.
For a long time, Microsoft took a cautious approach with EU data boundary features. When Anthropic was first added as a subprocessor, the setting was off by default for EU and EFTA tenants, making it clear that regulation and consent were a priority.
Flex routing breaks that pattern; a shift noted by compliance analysts.
The Message Center item states "Flex routing is enabled by default for your tenant", followed by a reassurance that admins can change the setting at any time.
The option to turn it off does exist, but if nobody on your team reviews this before 17 April, it will simply turn on, posing compliance issues for organisations subject to GDPR, NIS2 or DORA.
The EU Data Boundary exists because European law, including GDPR, NIS2 and DORA, restricts how data belonging to organisations may move or be processed outside the EU. It is not just a best-practice recommendation, but a legal requirement.
Flex Routing introduces a scenario where, during a Copilot usage spike, LLM inferencing may occur outside that boundary.
Microsoft maintains that data at rest stays within the EU and that only limited pseudonymised operational data is stored outside. However, compliance teams will still be asking:
Can you demonstrate that no person or sensitive data was processed outside the EU Data Boundary during a given period?
If Flex Routing is on and you haven't reviewed it, the honest answer is 'not easily'.
This is particularly concerning for regulated industries, including legal, financial services, healthcare and the public sector. For these sorts of organisations, that level of uncertainty isn't acceptable
Navigate to the Microsoft 365 admin center. The Flex Routing control sits within the Copilot settings area.
Review whether it is currently on, or scheduled to be enabled. You can also view MC1269223 on ChangePilot for a full breakdown of the change.
If your organisation is subject to GDPR, NIS2, DORA, or sector-specific data residency requirements, involve your Data Protection Officer or compliance lead in this decision before 17 April.
If your organisation requires strict EU data residency for Copilot processing, disable Flex Routing before 17 April. If after review, you are comfortable with the trade-off, document that decision.
Note that MC1269241 also enables Anthropic models for Copilot in Word, Excel and PowerPoint (also on by default). Both changes land at the same time and compound the compliance impact.
Your legal, compliance, and data governance teams need to know this is happening before it comes into effect.
This isn't just about Flex Routing - this involves two default-on Copilot changes in one week, both with compliance implications and deadlines measured in days, not weeks.
Microsoft's pace isn't slowing down, and the assumption baked into every Message Center post is that someone on your team will catch it, understand it, and act in time. Most teams can't do that consistently. This is what M365 evergreen change looks like at scale and it's drawing significant attention across the Microsoft community.
Potentially yes. GDPR restricts how personal data belonging to EU organisations may be processed outside the EU. If Flex Routing is enabled, some Copilot processing may occur outside the EU Data Boundary. Organisations with strict data residency obligations should review the setting and involve their Data Protection Officer before 17 April.
No. Microsoft states that customer data at rest continues to reside within the EU Data Boundary. Only LLM inferencing (processing) may temporarily occur outside the EU during high-demand periods. However, limited pseudonymised data may also be stored outside for operational security purposes.
Flex Routing can be disabled in the Microsoft 365 admin centre under Copilot settings. Organisations have until 17 April 2026 to review and adjust the setting before it becomes active by default.
Organisations subject to GDPR, NIS2, DORA, or sector-specific data residency requirements, particularly in legal, financial services, healthcare, and the public sector, should treat this as a compliance-relevant decision, not a default they accept without review.
The Microsoft EU Data Boundary is a commitment from Microsoft that data belonging to EU and EFTA customers will be stored and processed within the EU. Flex Routing introduces a conditional exception to the processing element of this commitment during peak Copilot demand.