An incident registered on October 20, 2025, in a global cloud services provider based in the United States caused the interruption of applications and services in European data centers, affecting users and entities in Barcelona, Girona, Tarragona, and other cities of the European Union. The technical failure originated in the Virginia region and had immediate consequences on critical infrastructures in Madrid, Paris, Frankfurt, and Dublin.
Impact on the management of personal data and essential services
The incident evidenced that, although data storage may be located in Europe, resource management depends in many cases on centralized services outside the European Economic Area. The fall of key systems such as identity management (IAM) or the global DNS at origin prevented access and processing of personal data in the region, which represented an availability breach with possible repercussions on the rights of citizens.
The General Data Protection Regulation, in its Article 32, requires data controllers to adopt technical and organizational measures to guarantee the confidentiality, integrity, availability, and resilience of systems. However, dependence on third-country infrastructures poses additional risks for operational sovereignty and service continuity.
Legal obligations and security recommendations
European regulations establish that the data controller must demonstrate diligence in managing the risk derived from dependence on a non-substitutable provider. The interruption of services due to causes external to the European environment can directly affect the protection of personal data and the capacity to respond to technological emergencies.
- Identify and analyze risk in impact assessment
- Demand transparency from the provider regarding their resilience
- Design and implement mitigation measures in a contingency plan
These actions must allow to maintain essential operations even in case of provider failure, avoiding the total paralysis of personal data processing.
Context and reference materials
The situation is framed within the work of the Division of Innovation and Technology of the Spanish Data Protection Agency, which has published recent materials on security and risk management in processing supported by artificial intelligence and cloud services. Among them stand out "Voice transcription with AI implications for data protection" (January 2026), "Addressing Misconceptions of Artificial Intelligence" (March 2025) and "Personal data breaches security focused on processing" (March 2024).
Operational sovereignty and technological resilience remain as priority challenges for organizations that manage personal data in Catalonia and the rest of the European Union.