Quick answer up front: for every core function of Microsoft 365, there’s a European open-source alternative. Nextcloud replaces SharePoint and OneDrive, Mailcow takes over email and groupware from Exchange Online, Collabora Online or OnlyOffice covers the Office web apps — plus Keycloak for logins and Vaultwarden for passwords. All of it runs on servers in the EU and can be operated in a GDPR-compliant way.
As for why the question comes up at all: Germany’s Datenschutzkonferenz (DSK), the conference of German data protection authorities, concluded years ago that GDPR-compliant use of Microsoft 365 can’t easily be proven — and that hasn’t gotten any better since. Microsoft 365 is still standard in plenty of offices, and it remains a running point of contention with data protection.
Quick note: this is context, not legal advice. For your specific case, it’s worth getting a specialist’s opinion.
What the criticism is about
The criticism comes down to three points. Telemetry and diagnostic data flow out at a scale that’s hard to fully control, some of it to the US. Exactly what gets processed, and when, is something a company can barely track end to end. And as a US provider, Microsoft is potentially subject to access by American authorities. Bottom line: the responsibility for making the deployment GDPR-compliant sits with you — and proving it is tedious.
You’re not locked in
For practically every function Microsoft 365 offers, there’s a European or open-source alternative:
- Email & groupware: Mailcow, Open-Xchange, Mailbox.org
- Files & collaboration: Nextcloud
- Documents: Collabora Online or OnlyOffice
- Identity & logins: Keycloak
- Passwords: Vaultwarden
Here’s how that maps:
| Microsoft 365 | GDPR-friendly alternative | For what |
|---|---|---|
| Exchange Online | Mailcow | Email & groupware |
| SharePoint / OneDrive | Nextcloud | Files & collaboration |
| Office web apps | Collabora Online | Documents |
| Entra ID / Azure AD | Keycloak | Identity & logins |
| Passwords (browser/autofill) | Vaultwarden | Password management |
These run on servers in the EU, your data stays with you, and you’re not paying per head, per month.
Nobody switches over a weekend, though, and nobody has to. The sane approach is staged: start with the most sensitive part — email and files — then the rest, in parallel, with enough time to get comfortable. That keeps operations stable while the dependency drops. And if you don’t want to shoulder that yourself, you can have the whole operation handled as self-hosting as a service.
Whether these tools end up running cleanly, by the way, isn’t decided by the software — it’s decided by how it’s operated. Nextcloud is the best example of that. That’s exactly what managed open-source hosting is for.
Want to know if and how a switch makes sense for you? Get in touch — I’ll tell you honestly what makes sense and what doesn’t.