Airbus is about to launch a tender that many in the European tech sector have been waiting for years: migrating critical—and especially sensitive— workloads from their data centers to a “sovereign cloud” in Europe. However, the move comes with an uncommon admission from a large corporation: they are not clear that a European provider capable of meeting all the requirements even exists.
According to Catherine Jestin, Executive Vice President of Digital at Airbus, the company aims to release the bid early January and make a decision before summer, for a contract exceeding €50 million with a duration of up to 10 years, seeking price stability.
What Airbus wants to move (and why it’s not just a “lift & shift”)
When a company talks about cloud migration, sometimes it refers to a set of peripheral applications. That’s not the case here. Airbus is preparing to move structural components: ERP, Manufacturing Execution Systems (MES), CRM, and Product Lifecycle Management (PLM), including aircraft designs.
The trigger isn’t purely technical but also related to software lifecycle management. In the corporate ecosystem, many large manufacturers are pushing innovation toward the cloud, and platforms like SAP accelerate this trend. Airbus states it plainly: if providers focus the future on the cloud, those remaining “on-prem” may end up trapped in legacy versions, lacking updates or facing increasingly inconvenient upgrade cycles.
For system administrators, this implies more than just changing hosting; it’s redefining identities, networks, segmentation, encryption, business continuity, and 24/7 operations for applications supporting industrial production.
The critical point: sovereignty isn’t the same as “region in Europe”
Airbus emphasizes a specific idea: European control over extremely sensitive information. That’s where legal realities clash: even if data physically resides within the EU, dependency on major US providers reopens debates over extraterritorial laws, with the CLOUD Act symbolizing that uncertainty.
Jestin admits that Airbus expects clear regulation on whether it could truly be “immune” to such pressures and whether service disruptions could occur in tense political scenarios. She sums up the market situation with a pragmatic estimate: “80/20” probability of finding the right solution.
In sysadmin language: it’s not just about asking “where is the data center?”, but who operates it, under which jurisdiction, who manages the control plane, who has access, how keys are secured, what audits are in place, and what enforceable contractual guarantees exist.
Europe also moves: certifications, requirements, and public procurement
Airbus’s case comes at a time when Brussels aims to turn digital sovereignty into something operational, not just talk. For example, the European Commission has promoted initiatives related to a cloud sovereignty framework and the development of European cloud certification (EUCS), with public procurement rules and requirements designed to reduce dependency and increase control.
At the same time, the debate isn’t settled: part of the European industry criticizes regulatory approaches that, practically, could allow hyper-scalers to continue competing in “sovereign” contracts through legal structures and subsidiaries, without fully changing control asymmetries.
What “sovereign cloud” means for infrastructure teams (a realistic checklist)
If Airbus is setting the bar high, it’s because the term “sovereign” has been used loosely. In practice, for industrial and critical environments, the conversation often boils down to verifiable conditions like these:
- Key custody and encryption: BYOK/HYOK, European-controlled HSM, rotation and segregation policies.
- Control and operational plane: who accesses consoles, how audits are conducted, what “break glass” support exists and under what rules.
- Isolation and network: strong segmentation, microsegmentation or Zero Trust, dedicated connectivity (MPLS/SD-WAN), route controls, and telemetry.
- Business continuity: real multi-site DR (and multi-jurisdiction if applicable), regular testing, contractual RPO/RTO.
- Portability and dependency: APIs, formats, IaC automation, and exit strategy from day one.
- Compliance: not only GDPR but also sector-specific requirements, export controls, and internal information classification policies.
For an organization like Airbus, the challenge is ensuring all this works with systems that cannot tolerate unpredictable latencies, that require integration with factories, and where performance degradation means not just user complaints, but production bottlenecks.
“Real sovereignty” or marketing: the warning from the European trenches
This is where many CIOs are starting to articulate a key nuance: partially moving away from hyper-scalers is not about going back in time; it’s about reducing strategic risk.
David Carrero, co-founder of Stackscale (Aire Group), a European cloud infrastructure provider, summarizes it as: “Sovereignty cannot just be based on slapping the ‘EU’ logo on a platform. If operation, control, and jurisdiction remain outside, all you have is dependency under another name. The real approach involves combining private cloud, bare-metal, and European-operated cloud, with effective audits and control.”
This doesn’t mean an immediate shutdown of US providers. It’s a more pragmatic approach: hybrid architectures where critical and sensitive workloads are anchored in European infrastructure, while less sensitive workloads are distributed with discernment. For many companies, the realistic path is migration by domains (ERP in phases, sensitive data by classification, engineering environments with reinforced controls) and building a model where the provider is an interchangeable component, not an irreversible destination.
The “Airbus effect”: why this could influence other industries
If Airbus concludes this tender successfully, the message to the market will be powerful: Europe not only wants sovereignty; it’s willing to pay for it and demand it through major contracts. And if it doesn’t succeed, that will also be a signal: European offerings still don’t scale enough or need more cooperation, common operational standards, and industrial capacity.
Other sectors with similar incentives to rethink dependency—at least partially—are evident: defense, energy, healthcare, banking, telecommunications, high-tech manufacturing, and, of course, public sector. The pattern repeats: sensitive data, operational continuity, and growing discomfort with regulatory and geopolitical risks.
Airbus has set a date and put money on the table. Now it’s up to the European ecosystem to demonstrate whether “sovereign” is a commercial promise… or a real operational reality.