Executive Summary
Europe’s push for digital sovereignty is reshaping the region’s technology landscape. Three events in late‑2025 illustrate the contours of this shift. Mastercard announced plans to invest about €250 million in three new data centres in France. The company said the expansion would localise its payments infrastructure, create a “sustainable, distributed network that can run anywhere,” and increase resilience against natural or geopolitical disruptionsdatacenterdynamics.com. The news highlights how financial‑sector incumbents are responding to regulatory requirements such as the EU’s Digital Operational Resilience Act (DORA) by building redundant, sovereign infrastructure.
Around the same time, the European Commission launched a €180 million sovereign‑cloud tender under the Cloud III Dynamic Purchasing System. Up to four providers will be selected under a new Cloud Sovereignty Framework which measures sovereignty across eight objectives—strategic, legal, operational, supply‑chain, technology, security, environmental and compliance dimensionscommission.europa.eu. This framework provides a practical benchmark for how sovereign cloud services should be assessed and is intended to nudge the market towards compliance with EU standards and valuescommission.europa.eu.
In contrast to these investments, Google paused a billion‑dollar data‑centre project in Finland after the Finnish government proposed to increase the electricity tax for data centres by roughly 40×, from €0.0006 per kWh to €0.0225 per kWhdatacenterdynamics.com. Google stressed that regulatory stability and predictable operating conditions were critical to its investment decisiondatacenterdynamics.com. The episode illustrates how energy policy can deter foreign investment even in markets known for low‑carbon power. The Finland Data Center Association estimates the country’s live capacity could grow from 285 MW in 2025 to 1.5 GW by 2030datacenterdynamics.com—but such projections may hinge on tax clarity and competitive electricity prices.
These cases collectively show that Europe’s digital infrastructure strategy is driven by sovereignty goals, regulatory harmonisation, and energy policy. Firms investing in Europe must adapt to evolving sovereign‑cloud standards, comply with resilience mandates like DORA, and navigate divergent national tax regimes. Policymakers must balance sovereignty with market openness and provide clear, stable frameworks to attract investment.
Introduction
Europe’s digital‑sovereignty agenda aims to reduce dependence on foreign technology providers, improve resilience to geopolitical shocks, and ensure that sensitive data remains under EU jurisdiction. The agenda gained momentum after high‑profile outages and concerns over extraterritorial laws like the US Cloud Act. Regulations such as DORA and the forthcoming Cloud and AI Development Act (CAIDA) reflect growing emphasis on operational continuity and sovereignty. Investments and policy initiatives in late‑2025 offer insight into how public institutions and private firms are responding.
Mastercard’s €250 m Data‑Centre Investment in France
Background and Drivers
On 23 October 2025, Mastercard announced it would develop three new data centres in France at a cost of roughly €250 milliondatacenterdynamics.com. The payments company already operates more than a dozen data centres across Europe and about 60 worldwidedatacenterdynamics.com. In an announcement written by Mastercard’s Europe president Kelly Devine, the company said it was “transforming our technology footprint” to enable localisation of its payments infrastructure, creating an always‑on network with reduced vulnerability to natural or geopolitical eventsdatacenterdynamics.com. The plan is part of a broader shift from relying solely on hyperscale cloud providers to owning or leasing critical infrastructure.
Strategic Rationale and Regulatory Context
The investment reflects several strategic and regulatory drivers:
- Digital Operational Resilience Act (DORA). DORA came into effect on 17 January 2025 and sets uniform ICT risk management requirements for financial entities. Mastercard’s status as a Systemically Important Payment System means it must meet stringent uptime, redundancy and governance standardsinfrastructurebrief.com. Locating core switching and authorisation capacity inside the EU can streamline supervisory engagement, reduce cross‑border data flows, and simplify compliance with EU oversight regimesinfrastructurebrief.com.
- Sovereignty and localisation. By building facilities in France, Mastercard reduces dependency on non‑EU cloud providers. The company notes that localising infrastructure enhances resilience and enables operations during geopolitical disruptionsdatacenterdynamics.com. Infrastructure will likely meet Tier IV availability standards with diverse fibre routes and grid connections to ensure “always‑on” payment processinginfrastructurebrief.com.
- Energy and sustainability considerations. France’s nuclear‑heavy energy mix offers low‑carbon electricity. However, national debates in 2025 highlighted the need for accelerated grid planning to accommodate new loads from data centresinfrastructurebrief.com. Mastercard’s modest footprint compared with hyperscale builds still requires careful site selection, access to RTE and Enedis infrastructure, and permits for backup generators and noise abatementinfrastructurebrief.com.
European Commission’s €180 m Sovereign‑Cloud Tender
Cloud III Dynamic Purchasing System and Tender Scope
On 10 October 2025, the European Commission’s Directorate‑General for Digital Services announced a €180 million tender to procure sovereign cloud services for EU institutions over six yearscommission.europa.eu. The competition runs under the Cloud III Dynamic Purchasing System (DPS) and allows EU institutions, bodies, offices and agencies to procure cloud services that meet defined sovereignty criteriacommission.europa.eu.
The tender will award contracts to up to four providers registered in the Cloud III DPS. Awarding is expected between December 2025 and February 2026commission.europa.eu. The goal is to drive the entire cloud sector towards compliance with European standards by setting minimum assurance levels for sovereignty and establishing a benchmark for evaluationcommission.europa.eu.
Cloud Sovereignty Framework and Objectives
To evaluate tenders, the Commission introduced a Cloud Sovereignty Framework. The framework defines eight sovereignty objectives—strategic, legal & jurisdictional, data & AI, operational, supply‑chain, technology, security & compliance, and environmental sustainabilitycommission.europa.eu. Each objective has an associated Sovereignty Effectiveness Assurance Level (SEAL) that quantifies how well a provider meets the objective. For example:
- Strategic sovereignty assesses how anchored services are within the EU’s legal, financial and industrial ecosystemcommission.europa.eu.
- Legal & jurisdictional sovereignty measures exposure to non‑EU laws and the enforceability of rightscommission.europa.eu.
- Operational sovereignty evaluates the ability of EU actors to run and evolve technology independently of foreign controlcommission.europa.eu.
- Supply‑chain sovereignty examines the origin and resilience of components and the degree of EU controlcommission.europa.eu.
Sovereignty scores are computed and used as award criteriacommission.europa.eu. Providers must meet minimum SEAL levels across all objectives; those who do not are rejectedcommission.europa.eu. The framework draws on initiatives like Gaia‑X, France’s “Cloud de Confiance,” Germany’s “Souveräner Cloud,” and the European Cybersecurity Certification Framework, signalling the EU’s desire to harmonise sovereignty standards across member statescommission.europa.eu.
Finland’s Proposed Electricity Tax and Google’s Data‑Centre Decision
Proposed Tax Policy and Investor Reaction
In October 2025, the Finnish government considered a legislative amendment to the Act on Excise Duty on Electricity and Certain Fuels. The amendment would move data centres to a higher electricity‑tax category, raising rates from €0.0006 per kWh to €0.0225 per kWh—roughly a 40‑fold increasedatacenterdynamics.com. The change would take effect on 1 January 2026 if approveddatacenterdynamics.com.
Google, which had acquired 1,400 hectares of land in Kajaani and Muhos to build a data‑centre campus, responded by pausing its investment until the tax issue was resolveddatacenterdynamics.com. Sources reported that Finland’s governing party feared the company would withdraw if the rate hike proceededdatacenterdynamics.com. In submissions to the government, Google emphasised that regulatory stability and predictable operating conditions were crucial factors in investment decisionsdatacenterdynamics.com. Other investors, such as XTX Markets, said the proposed tax would impact their long‑term plansdatacenterdynamics.com.
Finland’s Data‑Centre Landscape and Growth Projections
Finland offers abundant land, cool climate and low‑carbon electricity, making it attractive for data‑centre development. Existing operators like Verne, Equinix and atNorth have facilities in the Helsinki area, and new developers—including Polarnode, FCDC, Arcem and Hyperco—are planning multiple projectsdatacenterdynamics.com. The Finnish Data Center Association projects that national live capacity will increase from 285 MW in 2025 to 1.5 GW by 2030datacenterdynamics.com.
Figure 1 illustrates this expected growth. The projection underscores Finland’s potential to become a Nordic data‑centre hub but also highlights how policy uncertainty could slow investment.
Analysis and Implications for Europe’s Digital Sovereignty
Balancing Sovereignty, Resilience and Market Openness
Mastercard’s and the EU’s initiatives exemplify a deliberate move toward sovereign control over critical digital infrastructure. For corporates, sovereign data centres offer control over operations, data locality and compliance; for regulators, they provide leverage to enforce standards and manage systemic risk. However, sovereignty must be balanced against market openness: strict localisation requirements can raise costs, reduce economies of scale, and limit access to global innovation ecosystems. The Cloud Sovereignty Framework attempts to strike this balance by defining transparent criteria that allow providers to demonstrate compliance while maintaining competitive differentiationcommission.europa.eu.
Energy Policy and Data‑Centre Investment
Finland’s proposed tax shift underscores the role of energy policy in digital infrastructure strategy. While low‑cost, clean electricity makes the Nordic region attractive for hyperscalers, sudden tax changes can erode this advantage. Investors may view such shifts as signals of regulatory risk, leading to delayed or cancelled projects. Policymakers seeking to tax energy consumption for environmental or fiscal reasons must weigh the benefits against potential capital flight. Clear, predictable tax regimes and incentives for renewable energy procurement can encourage investment while meeting environmental goals.
Regulatory Coordination and Innovation
The cases also highlight the need for coordination between EU‑level and national‑level policies. DORA and the Cloud Sovereignty Framework set common standards, but national tax and energy policies may inadvertently undermine them. A harmonised approach could include EU guidance on data‑centre taxation, aligned with sustainability targets, to prevent regulatory arbitrage and ensure that sovereignty goals do not deter investment. Concurrently, innovation in cooling, energy efficiency and heat reuse can reduce environmental impact and justify preferential tax treatment.
Recommendations and Conclusion
For enterprises, investing in sovereign European infrastructure should be accompanied by careful assessment of regulatory frameworks. Firms should engage with policymakers early to secure clarity on tax and energy policies, and should design distributed architectures that can adapt to changing regulations. Participation in shaping standards—such as through tender processes and industry consortia—can help ensure that sovereignty frameworks remain practical.
For policymakers, maintaining investor confidence requires stable, transparent rules. The Cloud Sovereignty Framework is a positive step because it provides measurable criteria and minimum assurance levels. National governments should complement EU‑level initiatives with coherent energy and tax policies that incentivise sustainable data‑centre development while preserving competitiveness. Public‑private partnerships may help finance the build‑out of sovereign infrastructure, spreading costs and benefits.
Overall, the intersection of digital sovereignty, resilience, and energy policy will shape Europe’s data‑centre landscape in the coming decade. Success will depend on aligning regulatory ambition with operational reality—ensuring that Europe remains secure and autonomous without isolating itself from global technological innovation.
