• Trade: Increasing trade laws, policies, sanctions, and other regulatory requirements also affect our operations in and outside the U.S. relating to trade and investment. Economic sanctions in the U.S., the EU, and other countries prohibit most business with restricted entities or countries. U.S. export controls restrict Microsoft from offering many of its products and services to, or making investments in, certain entities in specified countries. U.S. import controls restrict us from integrating certain information and communication technologies into our supply chain and allow for government review of transactions involving information and communications technology from countries determined to be foreign adversaries. Supply chain regulations may impact the availability of goods or result in additional regulatory scrutiny. Restrictions on data flows and outbound investment and customer sensitivities may limit our ability to leverage parts of our global engineering footprint to provide services in certain jurisdictions. Increased geopolitical instabilities and changing U.S. Administration priorities create an unpredictable trade landscape. U.S. tariff and shifting AI export controls policies, like the AI Diffusion Rule, could increase operational costs, create uncertainty in the continuity of our products, and accelerate sovereignty initiatives among international partners and customers. The volatility of U.S. tariffs has triggered economic uncertainty and could impact cloud and devices supply chain cost competitiveness. The potential replacement of the recently rescinded AI Diffusion Rule and other potential AI-related rulemakings could adversely affect Microsoft’s business, strategy, and operations. Periods of intense diplomatic or armed conflict like the ongoing conflict in Ukraine and the Israel-Hamas conflict could result in (1) new and rapidly evolving sanctions and trade restrictions, which may impair trade with sanctioned individuals and countries, and (2) negative impacts to regional trade ecosystems among our customers, partners, and us.
• Cybersecurity: Legislative and regulatory actions related to cybersecurity may increase the costs associated with developing, implementing, or securing our products and services. The legal and regulatory environment in this area is complex and continues to evolve across multiple jurisdictions. As a result, there is considerable uncertainty regarding both current and future compliance obligations. This uncertainty increases the risk that we may incur additional operational costs, face regulatory enforcement actions, or encounter challenges in the development and deployment of our products.
• Handling of personal data: Legal requirements relating to the collection, storage, handling, and transfer of personal data globally continue to evolve. The growth of our Internet- and cloud-based services internationally relies on the movement of data across national boundaries. Data protection authorities and governments in the EU and other markets have and may again restrict and/or block the use of services that involve the transfer of data across borders. New and evolving rules and restrictions on the flow of data across borders could increase the cost and complexity of delivering our products and services. In addition, the EU General Data Protection Regulation (“GDPR”) and other similar regulations impose a range of compliance obligations regarding the handling of personal data. New requirements related to the use of data, including the Data Act, add additional rules and restrictions on the use of data in our products and services.
• Environmental, Social, and Governance: Laws, regulations, and policies relating to environmental, social, and governance matters are being developed and formalized in Europe, the U.S., and elsewhere, which may include greenhouse gas emissions and energy usage caps, as well as specific, target-driven environmental, social, and governance frameworks and disclosure requirements. In addition, in 2020 we announced goals to become carbon negative, water positive, and zero waste by 2030. Any failure or perceived failure to meet our sustainability goals, or to meet various sustainability regulatory requirements, could result in claims and lawsuits, regulatory actions, penalties, or damage to our reputation, each of which could adversely affect our business, operations, financial condition, and results of operations.
How these laws and regulations apply to our business is often unclear, subject to change, and sometimes may be inconsistent from jurisdiction to jurisdiction. In addition, governments’ approach to enforcement, and our products and services, are continuing to evolve. Compliance with existing, expanding, or new laws and regulations may involve significant costs and operational efforts, or require changes in products or business practices that could adversely affect our results of operations. Noncompliance could result in the imposition of penalties, criminal sanctions, or orders to cease the alleged noncompliant activity. If our products do not meet customer expectations or legal requirements, we could face regulatory or legal actions, and our business, operations, financial condition, and results of operations could be adversely affected.
25
PART I