Telefonica Tech and Cloud Sovereignty: Trend Analysis

Geopolitics reaches the data center

The concept of sovereign cloud has moved from a niche regulatory topic to a concrete business trend in under two years. And Europe, with Spain as one of the more active markets, is driving much of the momentum.

Recent moves confirm the trajectory. Telefonica Tech launched its sovereign cloud offering built on proprietary infrastructure with ENS (Spain’s National Security Framework) high-level certification. Minsait (Indra) finalized its alliance with Google Cloud to offer Distributed Cloud Hosted, a version of GCP running entirely in Spanish data centers under Minsait’s operational control. AWS announced the opening of its Aragon region for 2025.

These are not isolated announcements. They reflect a structural shift in how European enterprises and governments think about cloud infrastructure. The relevant question is not whether sovereign cloud is real. It is. The question is: who needs it, what problem does it solve, and what does it cost compared to alternatives.

What drives the trend

Three converging forces explain why European companies are paying attention to cloud sovereignty now rather than five years ago.

Regulation. GDPR already required that personal data of European citizens be processed under European jurisdiction. But the Schrems II ruling (2020) and subsequent EDPB guidance complicated transfer mechanisms to third countries. The practical consequence: companies managing sensitive data (healthcare, finance, public administration) prefer to avoid the legal debate over transatlantic transfers by keeping data physically in the EU, operated by European entities.

Spain’s ENS adds an additional layer. To contract with the Spanish General State Administration, cloud providers must hold ENS certification. High level for sensitive data. This automatically excludes providers without certified presence in Spain. Similar frameworks exist across Europe: Germany’s C5, France’s SecNumCloud.

FISA 702 and the Cloud Act. US surveillance laws allow the American government to request access to data stored by American companies, even if the data is physically located on European servers. AWS, Azure, and GCP are American companies. This is not conspiracy theory. It is the current legal framework. For sectors like defense, public administration, and healthcare, this legal risk is sufficient to prefer a European cloud provider.

Supply chain resilience. The pandemic and geopolitical tensions demonstrated that depending on a single provider for critical infrastructure is a risk. Sovereign cloud is partly a diversification strategy: having the ability to operate critical services on infrastructure controlled by local entities, without depending on corporate decisions made in Seattle or Redmond.

What the European market offers

The sovereign cloud landscape in Europe has three layers:

Hyperscalers with local presence. AWS (regions in Ireland, Frankfurt, Spain, Stockholm, and more), Azure (multiple European regions), GCP (through partners like Minsait and T-Systems). They offer the same APIs and services as their global regions, but with data physically in Europe. They solve the data residency problem, but not operational sovereignty: management and access remain with the American company.

Sovereign partnerships. Minsait+Google Cloud in Spain, T-Systems+Google Cloud in Germany, Thales+Google in France. These agreements create an operational sovereignty layer: the infrastructure is in Europe, operations are handled by a European company, and (in some models) encryption keys are exclusively in the hands of the client or the European partner. It is a compromise between hyperscaler functionality and sovereignty guarantees.

Purely European providers. Companies like OVHcloud (France), Hetzner (Germany), Gigas and Stackscale (Spain, now part of Telefonica Tech) offer entirely European cloud infrastructure. Smaller service catalog than a hyperscaler, but with zero ambiguity about jurisdiction. For workloads that do not need advanced managed services (ML, analytics at scale), they are a viable and often cheaper alternative.

The question that matters: who actually needs this

Not every company needs sovereign cloud. The vast majority do not.

Those that need it meet at least one of these criteria:

• They contract with government agencies that require national security framework certification
• They handle health data protected by GDPR with additional requirements from national data protection authorities
• They operate in regulated sectors (banking, insurance, energy) with data residency requirements from financial or market regulators
• They handle classified or defense-related data

For an e-commerce company, a B2B SaaS, or a logistics startup, AWS eu-west-1 in Ireland is perfectly valid. The data is in the EU. GDPR is satisfied. And the cost is 15-30% lower than sovereign European options, because hyperscalers are more efficient at scale.

The mistake we are seeing is companies adopting sovereign cloud “as a precaution” without a real regulatory requirement. The result: they pay more, have fewer available services, and obtain no tangible legal benefit. Cloud sovereignty is a tool for a specific problem, not a generic upgrade.

Implications for cloud strategy

For companies that genuinely need sovereign cloud, the practical recommendation is:

Multi-cloud with purpose. Regulated workloads in the sovereign cloud. Non-regulated workloads on the hyperscaler with the best value. Do not mix everything into a single provider “for simplicity.” The apparent simplicity of a single provider becomes real dependency.

Abstract the infrastructure. Kubernetes (EKS, AKS, GKE, or self-hosted) as an abstraction layer allows moving workloads between providers with reasonable friction. If your application is coupled to AWS-specific services (Lambda, DynamoDB, SQS), migrating to a sovereign cloud is a rewrite project. If it runs in containers orchestrated by Kubernetes with standard managed databases, the migration is a configuration change.

Evaluate total cost. Sovereign cloud typically costs 20-40% more than the equivalent hyperscaler for the same workloads. That premium is acceptable if it avoids a real legal or regulatory risk. It is unacceptable if it is merely a peace-of-mind premium without regulatory foundation.

Cloud sovereignty is a real trend responding to real needs of a specific market segment. It is not the next big thing for every company. It is the right solution for the right companies. Knowing whether your company is one of them requires a risk analysis, not a sales brochure.

For companies needing to evaluate their cloud strategy, we start with the analysis of regulatory and business requirements. The technology comes after.