AWS, Microsoft and Google now operate cloud regions in Mexico. AWS and Microsoft alone have publicly committed more than $6 billion to Mexican cloud infrastructure. AWS launched its Mexico (Central) Region in January 2025, backed by a $5 billion, 15-year commitment announced in February 2024, per Amazon's own press release. Microsoft's Mexico Central region went operational in May 2024, on the basis of a $1.1 billion investment announced in 2020, per Microsoft's Innovar por México plan. Google Cloud opened its Mexico region in December 2024. Mexico now has 279 megawatts of operational data center capacity, up from 115.5 MW in 2024, per Mexico Business News citing MEXDC data. The bottleneck is no longer demand. It is governance, energy and security.

In February 2026, Israeli cybersecurity firm Gambit Security published initial findings claiming that a single attacker used AI tools to breach nine Mexican federal and state institutions between December 2025 and February 2026, exposing an alleged 195 million records. In April, Gambit followed with a full technical report. SAT, INE and multiple state agencies formally denied the breach. Gambit published its report on the same day it announced $61 million in funding. Anthropic and OpenAI confirmed they banned the accounts involved and acknowledged misuse of their platforms, per Bloomberg, February 2026. The breach figures are unverified and contested. The documented use of commercial AI tools in the campaign is the part that matters for this issue.

The risk is not that German companies are using US cloud providers in Mexico. The risk is that their compliance model still treats data, infrastructure and government access as separate topics. In practice, they now sit on the same map.

In European IT contract negotiations, GDPR clauses are not boilerplate. They are some of the most contested sections in any agreement, often pulling in a dedicated data protection team as a second reviewer alongside legal counsel. Privacy officers, procurement, IT security and the data protection officer in the same room, arguing over who can access what data, where it can be stored and who is responsible if something goes wrong. Those reviews can take weeks.

So when I look at what is being built in Mexico right now, and then look at the rules that are supposed to govern it, something does not add up.