Catalan cloud: a partial victory
The announcement of the Generalitat's tender for a sovereign Catalan public cloud is a sign that the fight for a more democratic digitalization is beginning to bear fruit. With the invaluable help, it must be said, of the bad example that Trump, Musk, and their allies have set for the world, showing that what digital rights advocates have been saying for years was not a dystopian fantasy but a very real possibility. Technological dependence on infrastructure, providers, jurisdictions, and decisions alien to fundamental rights can, from one day to the next, become a first-class democratic problem.
For this reason, this tender contains positive elements. Above all, it implies a change of direction: finally, in a large public technological contract, criteria are beginning to be introduced that do not only respond to technical security, but also to the consolidation of the general interest: free software, i.e., auditable; portability, and interoperability. All this contributes to technological independence.
This is not minor. From the European public procurement directive of 2014, legislation already allows for awarding not only based on price, but also incorporating qualitative, social, environmental, and innovative criteria. However, and as I explain in Democratic digitalization. Digital sovereignty for people (Raig Verd, 2024), in practice these criteria have been applied too little. Any attempt to introduce general interest objectives in technological procurement has often been blocked by legal inertia rooted in a narrow view of competition, as if any democratic, social, or technological requirement other than the lowest price was suspected of distorting the market.
In this case there is a development that from Xnet we consider particularly relevant: the tender requires the bidder to demonstrate "commitment to the use of open-source software" in the construction of the platform, prioritizing it in key components to promote technological independence and portability through open standards and documented APIs. It also requires detailing which components are open-source and which are owners, and justify this choice in terms of sovereignty, functionality, and integration with open standards.
It is true: it is not a full free software obligation. It does not require all code to be published, nor the entire platform to be publicly auditable. But it is an important step forward. We will see if this commitment is serious when we know who wins the bid and what the real composition of the system is: which parts are free, which are proprietary, which dependencies remain and who can audit them.
The tender incorporates valuable guarantees: infrastructure located in Catalan territory; management and control by an entity subject to European regulation; legal sovereignty requirements; data hosted in the EU; keys under client control; non-proprietary APIs; traceability; observability; audits and reversibility mechanisms. It also requires integration capacity through well-documented and non-proprietary APIs or protocols, adhering to public and widely adopted standards, to reduce dependence on single providers.
But the essential question is: who will be able to verify all this? From what we have been able to see in the tender document, the auditability guarantees are strong, but mainly internal and institutional. The CTTI, the Cybersecurity Agency of Catalonia, and the competent bodies will be able to audit the correct execution of the service, access documentation and tools, and demand assistance and action plans. This is necessary, but not sufficient. It is not equivalent to public transparency.
Sovereignty should not be just for the Government and institutions. We demand that all these auditability guarantees be public and accessible. Digital sovereignty should not mean that we no longer want Big Tech to monitor and profile us so that our governments can do it. Digital sovereignty must be for everyone, institutions and individuals.
Finally, it seems that a lesson we should not forget has not been learned. During the "Procés", the Civil Guard searched the headquarters of T-Systems, then the technological provider of the Generalitat, as part of judicial proceedings related to October 1st. The published information spoke of judicial requests for information and the sealing of equipment. This precedent shows a key issue: a critical public infrastructure is not sovereign if the provider can receive a judicial, administrative, or governmental order—state or foreign—and the affected administration does not have an express contractual guarantee of immediate notification, unless there is a legal prohibition. In this regard, an essential clause is missing that obliges the provider to immediately notify the client – the Government, in this case– of any request from a public authority, except when an express legal prohibition prevents it.
Without a clause of this type, there is no real sovereignty, not even for the Government itself. The tender requires avoiding access by jurisdictions or matrices from outside the EU, but it goes no further.
In short: this tender is good news because it shifts the debate. We are talking about rights, autonomy, control, security, open source, portability, and sovereignty. It is a partial victory of years of struggle for democratic digitalization. But we must not confuse the direction with the arrival. The tender framework itself requires an EU SEAL-3 level, that is, technological sovereignty or digital resilience, but not full sovereignty. This is understandable, because we still do not have enough talent and digital capacity to achieve it. Therefore, our position is clear: we celebrate the change of direction, we wish that it will truly be fulfilled, and we ask that it increase as soon as possible.