Let’s be honest: most EU policy documents read as if they were written by a committee of lawyers who drank too much espresso and then fell asleep at their keyboards anyway. Pages full of “having considered that” and “with reference to Article 42, paragraph 3, subparagraph b,” where after 10 minutes, you still don’t know what it’s actually about.
But now… now the European Commission has done something I never thought possible: they have written a framework on cloud sovereignty that you can actually use. Without a legal dictionary. With concrete criteria. And – pay attention – it even works and distinguishes between true sovereignty and “sovereignty washing.”
An EU document with practical tools? That’s about as rare as a tax-paying unicorn.
An EU document with practical tools? That’s about as rare as a tax-paying unicorn.
From Marketing Buzzword to Measurable Reality
“Sovereign cloud” is a frequently used term but without tangible meaning. Every cloud provider claimed it, no one could define it, and customers had no way to verify the claims. The new Cloud Sovereignty Framework changes this by introducing two complementary assessment systems: Seal and Objectives. This makes the discussion and assessment of sovereign Cloud much easier. (The full EU document is available here.)
The SEAL System: The Entry Threshold
The Sovereignty Effectiveness Assurance Level (SEAL) acts as a minimum requirement per tender. Providers who do not meet the required level are excluded:
- SEAL-0: Completely non-EU management and jurisdiction
- SEAL-1: EU law formally applicable but limited enforceability
- SEAL-2: EU law enforceable, but material non-EU dependencies remain
- SEAL-3: EU actors have meaningful but not complete control
- SEAL-4: Complete EU control without critical non-EU dependencies
Sovereignty Score: The Quality Differentiator
In addition to the SEAL threshold, a weighted score is calculated that determines which qualified provider wins the contract.
The Eight Sovereignty Objectives
The framework assesses providers on eight objectives with different weightings:
- SOV-1: Strategic Sovereignty: Where do decision-making powers lie and is value created? 15%
- SOV-2: Legal & Jurisdictional Sovereignty: Which legal system applies and can non-EU law (like the US CLOUD Act) enforce access?10%
- SOV-3: Data & AI Sovereignty: Who controls encryption keys, and where are data and AI models processed? 10%
- SOV-4: Operational Sovereignty Can EU actors independently manage the service without vendor lock-in? 15%
- SOV-5: Supply Chain Sovereignty Where are hardware, firmware, and software produced, and who controls the supply chain? 20%
- SOV-6: Technological Sovereignty: Is the technology based on open standards, and can the code be inspected? 15%
- SOV-7: Security & Compliance Sovereignty: Where do Security Operations Centres operate, and who performs audits? 10%
- SOV-8: Sustainability What is the long-term resilience in terms of energy, raw materials, and environmental impact? 5%
The 20% weighting for supply chain sovereignty (SOV-5) underscores the importance of transparency and control over the complete supply chain.
The €180 Million Test Case
The Commission is directly applying the framework in a large tender for sovereign cloud services worth €180 million over 6 years. Between December 2025 and February 2026, a maximum of four providers will be selected. These first contracts will serve as a practical test of whether the framework can distinguish between genuine sovereignty and “sovereignty washing.”
The Controversy: European Providers vs. Hyperscalers
CISPE, the association of European cloud providers, criticizes the framework. Their concern: US hyperscalers (AWS, Azure, Google Cloud), which already control 70% of the European cloud market, might score high through EU subsidiaries and compliance measures despite fundamental non-EU dependencies.
The central question is whether providers who score low on strategic (15%) and legal sovereignty (10%) – a combined 25% – can compensate for this by achieving high scores on the remaining 75%. The answer depends on two critical factors: what minimum SEAL level contracting authorities set, and how effectively the weighting works in practice.
My Perspective: Not Perfect, But Usable
As a privacy and cloud expert, I see this framework as an essential step forward. For the first time, we have concrete, verifiable criteria instead of vague marketing claims.
What works:
- Measurability: From abstract concept to concrete assessment criteria
- Holistic approach: Sovereignty is more than just data location
- Market dynamics: Transparency creates healthy competition based on objective criteria
What keeps me up at night:
- SEAL thresholds are crucial: Too low minimum requirements make the framework worthless
- Sovereignty washing: Superficial compliance without fundamental change remains a risk
- Enforcement: Monitoring and verification must be robust, otherwise, it becomes a tick-box exercise
Practical Applicability
For organizations in the public sector, regulated industries, or companies that value digital autonomy, this framework offers a practical instrument for vendor selection.
My recommendations:
- Use the eight SOV objectives as a checklist for cloud provider evaluations.
- Ask targeted questions about legal exposure and supply chain transparency.
- Demand concrete proof and independent audits, not marketing material.
- Consider multi-cloud strategies with a focus on interoperability (SOV-4 and SOV-6).
- Invest in internal expertise – true sovereignty also requires own capacity.
Conclusion: The Value Is in the Application
The EU Cloud Sovereignty Framework is not a perfect solution, but it is a necessary one. In a world where data is the raw material of the economy and geopolitical tensions are rising, we cannot leave digital infrastructure to external control without adequate safeguards.
The first contracts concluded under this framework will determine whether this becomes a game-changer or a paper tiger. If contracting authorities set high SEAL thresholds and score meticulously, the framework can genuinely strengthen European digital autonomy. If it is watered down into a compliance exercise with low requirements, it will be another missed opportunity.
The choice lies with public and private organizations making infrastructure decisions. This framework finally gives us the tools – now we must dare to use them.
What is your perspective on the EU Cloud Sovereignty Framework? Effective safeguard or administrative burden? Share your view in the comments.
Discover more from Pragmatic Technology Thinking
Subscribe to get the latest posts sent to your email.
