The news sounds like a European industrial success: Microsoft has received preliminary approval to build three major data center campuses in Aragon, with an investment exceeding €5.3 billion and hundreds of kilometers of associated fiber optic cable. The region is strengthening its role as a key node for Azure cloud, joining the presence of AWS and Microsoft’s already operational region in Madrid.
The official narrative is well known: skilled employment, opportunities for the local tech ecosystem, and, of course, “digital sovereignty.” Data “stays in Europe,” is hosted “on Spanish soil,” and is subject to “European laws.”
The problem is that none of these alone amount to digital sovereignty. Neither for Spain nor for the European Union.
Europe talks about sovereignty… with 70% of its cloud in foreign hands
Market data is hard to reconcile with the political narrative. According to Synergy Research Group, more than 70% of the European cloud market is controlled by just three U.S. companies: Amazon Web Services, Microsoft Azure, and Google Cloud. European providers—OVHcloud, Scaleway, T-Systems, Aruba, Stackscale, and others—account for hardly around 15%, compared to 29% in 2017.
In other words, while the EU multiplies strategies of “strategic autonomy,” the actual dependence on U.S. hyperscalers has increased. Every new AWS or Microsoft region celebrated as a “historic opportunity” practically reinforces that power asymmetry.
Having data centers in Zaragoza or La Muela does not make that infrastructure European. The concrete is Aragonese; ownership, command chain, and control plane remain in Redmond.
Applicable law is not in Brussels, but in Washington
The second uncomfortable angle is legal. Even if data is physically stored in Spain, the provider remains subject to the laws of its home country.
The U.S. CLOUD Act, passed in 2018, allows U.S. authorities to require companies based in the U.S. to grant access to data they manage, even if that data is stored in Europe. This complements other frameworks like FISA 702, which extend U.S. intelligence’s reach over “cloud” data.
Major cloud providers have responded with proposals for “sovereign cloud,” “data boundaries,” or agreements with local partners to reassure European customers. Google, for example, has announced specific solutions in the EU alongside partners like Thales to reinforce sovereignty perceptions. But, as various analysts point out, these arrangements do not change the fundamental fact: the parent company remains American and subject to U.S. laws.
In other words: compliance improves, legal risk surface decreases… but the legal power asymmetry persists.
Gaia-X, “sovereign clouds,” and the reality of dependence
The EU has been talking for years about “digital sovereignty” and launching initiatives like Gaia-X, EuroHPC, or various certification schemes (such as EUCS) for cloud services. The narrative is clear: ensure Europe does not critically depend on a handful of third-country platforms.
In practice, it’s much less epic. The Gaia-X project itself, initially conceived as a framework for sovereign infrastructure and data services, ended up opening the door to large U.S. hyperscalers, sparking criticism about how “European” it could truly be.
Meanwhile, the same providers dominating the market offer “sovereign” versions of their services: regions controlled by local partners, geographic isolation, and additional controls. It’s a logical move from a business and technical standpoint, but it places Europe in an uncomfortable position: its sovereignty depends on non-European providers deciding to act “as if” they were.
The VMware case and the role of Proxmox VE: a lesson in dependency
The upheaval caused by VMware’s licensing and strategic shifts after its acquisition by Broadcom has been a warning sign for many European organizations: depending on a single proprietary provider in such a critical layer as virtualization can be very costly.
In this context, European and open source solutions like Proxmox VE have gained prominence as a real alternative to VMware in enterprise data centers. Proxmox enables building virtualization and container clusters based on open technologies (KVM, LXC, Ceph), reducing the risk that a remote corporate decision makes the infrastructure’s foundation obsolete—or prohibitively expensive.
If Europe wants projects like Gaia-X to be more than just logos or a collection of powerpoints, it needs critical components in its reference architecture: open hypervisors, software-defined storage, programmable networks, and stacks that don’t force reliance on a single foreign vendor.
True digital sovereignty: European providers and open stacks
Serious talk about European digital sovereignty involves, at a minimum, four levels:
- Physical sovereignty
Data centers located within European territory, connected to backbone networks, with guaranteed access to energy and cooling… but also majority ownership and control by European companies. - Legal sovereignty
Providers whose headquarters, controlling shareholding, and main legal framework are in the EU or aligned countries. This limits exposure to extraterritorial legislation like the CLOUD Act. - Technological sovereignty
Intensive use of free and open standards in critical layers:- Virtualization: Proxmox VE, KVM.
- Storage: Ceph, GlusterFS.
- Orchestration: Kubernetes deployed on European infrastructure.
- Observability, security, software-defined networking… without dependencies on a single vendor.
- Economic and talent sovereignty
Supporting an ecosystem of European providers that reinvest locally:- Major players like OVHcloud, Scaleway, Deutsche Telekom, Orange, Aruba Cloud.
- Cloud and bare-metal infrastructure specialists such as Stackscale, with data centers in Spain and the Netherlands, focusing on private cloud, bare-metal, network storage, and high-availability solutions under European legislation.
This combination—physical infrastructure in Europe, European jurisdiction, open stacks, and European providers—is closest to achieving true digital sovereignty. It’s not a perfect or immediate solution, but it significantly reduces structural dependence.
What governments, companies, and the tech sector can do
For “digital sovereignty” to stop being a slogan in press conferences and become an industrial policy, concrete decisions are needed.
1. Public procurement with sovereignty criteria
Government cannot talk about strategic autonomy while concentrating critical services in two or three non-European hyperscalers. Without falling into outright protectionism, it can:
- Require that part of critical workloads be hosted with European providers.
- Introduce requirements for portability, reversibility, and no lock-in.
- Prioritize solutions based on open and auditable technologies.
The debate surrounding “Buy European” measures for certain cloud services already exists in Brussels; what’s missing is the political will to fully implement it.
2. Companies: multi-cloud… but not just with the usual providers
Many companies boast of “multi-cloud,” but in reality, they only combine AWS with Azure or Google Cloud. If Europe wants to change the balance, multi-cloud must also include European providers:
- Deploy stable or sensitive workloads on European private clouds (like Stackscale or other regional players).
- Reserve global hyperscalers for scenarios where they provide clear added value (specific managed services, global presence, etc.).
- Design architecture and automation (Terraform, Ansible, Kubernetes, Proxmox VE, etc.) from the start to enable workload portability across providers without rewriting the entire system.
3. Technical ecosystem: choose with purpose
System, DevOps, and development teams have more influence than they realize. Every time they choose between:
- A proprietary hypervisor or Proxmox VE.
- Closed storage or Ceph.
- Vendor lock-in or open standards.
they are effectively voting on the kind of ecosystem that will exist in 5 or 10 years. Digital sovereignty is not built only with laws; it’s also built through pull requests, architectural decisions, and hosting contracts.
Aragon as a symptom, not an exception
The new Microsoft campuses in Aragon are not “the problem” in themselves. Spain and Europe need more data centers, more computing capacity, and more investment in infrastructure.
The issue is the narrative that accompanies them: portraying an “European digital sovereignty” model where concrete infrastructure (like the concrete itself) is local, but effective control—economic, technological, and legal—still belongs to a handful of U.S. (and to a lesser extent, Chinese) companies.
If Europe wants to stop just talking about sovereignty and start exercising it, it will have to do something much harder than cutting ribbons at new data centers: truly commit to its own providers, technologies, and talent. Without that, the Aragon campuses will just be another piece of dependency—despite a flag of yellow stars on a blue background.