The European Commission published the results of its Cloud III tender on April 17, 2026. Four European providers were selected: Post Telecom (DEEP) with Clever Cloud and OVHcloud; STACKIT, the cloud division of the Schwarz Group; Scaleway, the cloud arm of French telecoms group Iliad; and Proximus NXT.
The contract is a six-year framework agreement. It covers the European Commission, the European Parliament, the European Council, the European External Action Service, and seventy European agencies. The purpose: sovereign cloud infrastructure for Europe’s core institutional digital operations. Total value across all four providers: €180 million. Four parallel contracts were awarded deliberately: the Commission’s own Cloud Sovereignty Framework explicitly required diversification to avoid dependency on any single provider.
The paper had a chapter about this. The paper also had a prediction about it. That prediction was sitting at “tracking” until today.
What Was Awarded
The Proximus NXT submission is not a single product. It is a composed architecture: five organisations, each covering a distinct layer of the sovereign requirements.
Proximus and Proximus NXT anchor the stack as the prime contractor in Belgium and Luxembourg: the trusted telecom and ICT integrator that ties the architecture together across two jurisdictions, providing connectivity, managed infrastructure, and operational continuity.
S3NS was built as a joint venture between Thales and Google Cloud to solve a specific problem: how to deliver hyperscaler-grade cloud performance under strict European sovereign conditions. Their product, PREMI3NS, received SecNumCloud 3.2 qualification from ANSSI in December 2025. SecNumCloud is France’s highest cloud security certification, issued by the national cybersecurity agency for sensitive and critical infrastructure workloads. The architecture is not a pure European alternative to US hyperscalers. It is a certified sovereign wrapper: Google Cloud infrastructure operated under French law, data stored exclusively in French data centres, under controls that keep access rights firmly within French legal jurisdiction.
Clarence is a joint venture between Proximus and LuxConnect, Luxembourg’s state-backed data centre infrastructure provider. Where S3NS handles sovereign cloud workloads that require certification and legal control, Clarence handles the cases where even a certified wrapper is not sufficient. Fully disconnected, physically air-gapped, operating within Luxembourg’s jurisdiction: workloads that cannot transit any external network under any condition.
At the top of the stack: Mistral AI delivers AI capabilities on the sovereign cloud platform. French, not Californian. Not subject to the US CLOUD Act. The intelligence layer the paper described as the third requirement for genuine digital sovereignty.
Thales closes the architecture with high-assurance security design and cybersecurity threat intelligence across the entire stack. The role is worth reading carefully: Thales co-founded S3NS and provided the security expertise behind PREMI3NS’s ANSSI qualification. In Cloud III, Thales operates at a second level as independent security architect across the full solution. The organisation that certified one component is also the validator of the whole.
Fabrice De Windt, Proximus NXT Lead: “European institutions require the highest levels of security, sovereignty and reliability. This selection confirms Proximus’ ability to deliver sovereign cloud solutions built on European services and operated by trusted local partners. By combining cloud, cybersecurity and European AI, we support public institutions in their digital transformation while preserving full control over their data and infrastructure.”
The Three Layers
The paper’s central architecture argument appears in Chapter 3. A European sovereign cloud still running OpenAI’s API has merely relocated the dependency. It has not eliminated it. Genuine sovereignty requires control at three levels simultaneously: the infrastructure, the silicon, and the intelligence.
The Cloud III selection covers two of the three. The infrastructure layer: Proximus NXT, S3NS, Clarence (European-hosted, certified, air-gapped where required). The intelligence layer: Mistral AI (European model, open weights, not callable under a US national security letter).
The silicon layer is not addressed by this contract. The stack runs on certified cloud infrastructure; the underlying compute is not specified as European silicon. That gap remains. But the paper was honest about the timeline: three-layer sovereignty is a 2028–2030 destination, not a 2026 baseline. The Cloud III solution is two-thirds of the architecture the paper described as necessary. That is further than almost anything else announced this year.
The paper also named GAIA-X as the prior attempt at European cloud sovereignty, and noted that the consortium had incorporated the very hyperscalers it was designed to counterbalance. Cloud III is structurally different. It is not a standards consortium. It is an enforceable procurement framework, signed by institutions with real operational workloads and a six-year contractual horizon. The architecture is not aspirational. It is contracted.
The Mistral Signal
The paper gave Mistral AI one line. It should have had more.
By the time Cloud III was awarded, Mistral’s position had changed materially. Revenues passed $400 million by February 2026, rising sharply as European organisations concluded that a European model on European infrastructure was the only clean compliance path under the AI Act and GDPR simultaneously. In March, Mistral raised €830 million to fund Nvidia-powered AI centres across Europe. The week Cloud III was announced, Mistral was building the compute infrastructure to serve it at scale.
The previous TGR article on this topic, The Open Weight War, made the argument directly: open weights are not a preference for European regulated-sector organisations. They are the compliance path. You cannot demonstrate conformity with AI Act Article 13 transparency obligations on a model whose architecture you cannot inspect. You cannot audit a model you do not have access to.
Cloud III operationalises that argument at institutional scale. The European Commission is not a startup hedging its AI strategy. It is the central regulatory institution of a 450-million-person union. When it writes Mistral into a six-year cloud framework, it is doing two things simultaneously: securing its own operations, and signalling to every public institution in Europe what the expected architecture looks like.
Prediction 6.2 in the paper read: “European open-weight models (particularly Mistral AI) become the compliant-by-default choice for regulated-sector organisations in Europe.” A single procurement contract does not confirm a market-wide trend. But it moves the prediction in a direction it has been moving since February.
The Proximus Paradox
There is one tension worth naming. In February 2025, Proximus Group selected AWS as its strategic global cloud provider to “harness the power of cloud and generative AI on a global level.” The same company that built a fully sovereign European stack for EU institutions also runs on AWS for its commercial global operations.
This is not inconsistency. It is the hybrid equilibrium the paper described in Chapter 9.
Commercial workloads follow efficiency. Regulated, sovereign, and institutional workloads follow a different set of constraints: compliance, jurisdictional control, auditability, and contractual guarantees of data residency. These two types of workload are not the same problem, and they do not need the same solution.
What Cloud III demonstrates is that the two ecosystems are not converging. They are diverging. The gap between workloads that can run anywhere and workloads that must run here, on this, under these conditions is widening. Proximus is building infrastructure on both sides of that gap simultaneously. So is every serious European cloud operator.
The interesting question is not whether this divergence happens (it is already happening), but how fast the “must run here” category expands as AI Act obligations begin to land. The deadline that matters for most regulated-sector organisations is December 2, 2027: high-risk AI systems. That is 84 weeks away.
What the Scorecard Says
Prediction 5.3: “Digital sovereignty will become an explicit procurement requirement in EU public sector AI contracts.”
This prediction had been at tracking since April 10, based on four EU governments mandating sovereign AI in public administration and France’s military signing a Mistral framework agreement. The note read: “would move to confirmed with one more independent source confirming procurement mandates are being implemented, not just announced.”
Cloud III is a signed framework agreement, published by the European Commission, naming five European partner organisations, covering the EU’s core institutional operations, for six years. It is implementation, not announcement.
Scorecard update: prediction 5.3 moves from tracking to confirmed. Prediction 6.2 (Mistral as the compliant-by-default European AI model) advances within tracking. 13 of 30 predictions confirmed or confirmed-exceeded.
The Proximus press release stated explicitly: this result “serves as a reference model for public authorities across Europe, many of which are aligning their own cloud requirements with criteria defined at European level.”
If the reference model is adopted, 5.3 does not just confirm. It propagates.