Image of Kiara of European Cloud
Kiara of European Cloud
/

What is the EU’s Cloud Sovereignty Framework?

A scientist measuring a cloud

Key Takeaways

  • The European Commission introduced a binding Cloud Sovereignty Framework in October 2025 to define and assess digital sovereignty of cloud services [^1][^5].
  • The framework establishes eight “Sovereignty Objectives” and a five‑level SEAL (Sovereignty Effectiveness Assurance Level) grading system [^1][^8].
  • Each objective is weighted, producing an overall Sovereignty Score that will be used in public‑sector procurement and can influence private‑sector contracts [^1][^2].
  • Early adopters such as Safespring and SUSE have published self‑assessments, showing scores between 86 % and 100 % and highlighting supply‑chain challenges [^8][^6].

Introduction

The EU’s Cloud Sovereignty Framework (CSF) aims to turn the abstract concept of “digital sovereignty” into concrete, measurable requirements for cloud service providers (CSPs). By defining eight specific objectives and a standardized scoring methodology, the Commission seeks to give public administrations—and eventually private enterprises—a clear tool to compare providers against EU strategic, legal, operational and environmental standards [^1][^5]. This article explains the framework’s structure, its assessment mechanics, and the early reactions from industry and civil‑society actors.

Background and Core Objectives

Adopted on 1 October 2025, the CSF draws on existing European initiatives such as CIGREF’s Trusted Cloud Referential, Germany’s “Souveräner Cloud”, French SecNumCloud, and the broader EU cybersecurity regime (ENISA, NIS2, DORA) [^1]. The framework lists eight Sovereignty Objectives that together capture the strategic, legal, technical and environmental dimensions of cloud sovereignty:

  1. SOV‑1 Strategic Sovereignty – ownership, governance and alignment with EU industrial policy.
  2. SOV‑2 Legal & Jurisdictional Sovereignty – applicability of EU law and insulation from foreign legal claims.
  3. SOV‑3 Data & AI Sovereignty – control over data location, processing and AI model governance.
  4. SOV‑4 Operational Sovereignty – ability to run, maintain and evolve services independently of foreign control.
  5. SOV‑5 Supply‑Chain Sovereignty – transparency and resilience of hardware and software supply chains.
  6. SOV‑6 Technology Sovereignty – openness, auditability and avoidance of vendor lock‑in.
  7. SOV‑7 Security & Compliance Sovereignty – compliance with GDPR, NIS2, DORA and EU‑centric security operations.
  8. SOV‑8 Environmental Sustainability – energy efficiency, renewable sourcing and circular‑economy practices.

These objectives are intended to supplement traditional security assurances with “sovereignty‑specific safeguards” that clarify what it means for a cloud service to be truly European [^1].

Sovereignty Effectiveness Assurance Levels (SEAL)

Providers are evaluated against each objective through a questionnaire, supporting evidence and public documentation. The assessment yields a SEAL rating from 0 to 4:

  • SEAL‑0 – No sovereignty (full non‑EU control).
  • SEAL‑1 – Jurisdictional sovereignty (EU law nominally applies).
  • SEAL‑2 – Data sovereignty (EU law enforceable but material non‑EU dependencies).
  • SEAL‑3 – Digital resilience (EU actors have meaningful influence).
  • SEAL‑4 – Full digital sovereignty (complete EU control, no critical non‑EU dependencies) [^1].

Contracting authorities set a minimum SEAL level for each objective; offers that fail to meet the threshold are rejected [^1][^2]. The SEAL system provides an “assurance baseline” that can be referenced throughout the contract’s lifecycle, allowing authorities to adjust technical requirements as risk profiles evolve [^1].

Scoring Methodology

Beyond the binary SEAL pass/fail, the framework introduces an overall Sovereignty Score. The score aggregates the individual objective scores, weighted according to perceived importance [^1]:

  • SOV‑1 Strategic – 15 %
  • SOV‑2 Legal – 10 %
  • SOV‑3 Data – 10 %
  • SOV‑4 Operational – 15 %
  • SOV‑5 Supply‑Chain – 20 %
  • SOV‑6 Technology – 15 %
  • SOV‑7 Security – 10 %
  • SOV‑8 Environmental – 5 %

The weighted sum is normalised to produce a percentage score that contributes to the overall quality score of a tender [^1]. This dual‑layered approach—minimum SEALs plus a composite score—aims to balance hard compliance thresholds with a nuanced view of a provider’s sovereignty posture.

Impact on Procurement and the Cloud Market

In a €180 million procurement launched in 2025, the European Commission required bidders to satisfy minimum SEAL levels across all eight objectives, effectively creating a “digital sovereignty gate” for public‑sector contracts [^5][^8]. Analysts argue that the CSF will:

“level the playing field, push providers toward greater transparency, and reduce dependence on non‑European hyperscalers.” [^2]

Early self‑assessments illustrate the framework’s practical implications. Safespring reported an overall score of 86.25 % and highlighted supply‑chain constraints due to the prevalence of non‑EU hardware components [^8]. SUSE’s free “Cloud Sovereignty Framework Assessment” allows organisations to benchmark their own stacks and offers tailored recommendations, underscoring the growing demand for tooling that translates the CSF into actionable roadmaps [^6].

Stakeholder Perspectives

Several stakeholder groups have weighed in:

  • Civil‑society organisations such as CADE view the framework as a timely response to rising concerns over extra‑EU data transfers and third‑country surveillance [^5].
  • Cloud providers are beginning to map their services to the SEAL levels; some, like OVHcloud and Scaleway, already advertise “EU‑hosted, EU‑controlled” offerings that align with SOV‑1 to SOV‑4 objectives [^3].
  • Enterprises see the CSF as a way to reduce compliance complexity, especially when dealing with overlapping regulations such as GDPR, NIS2 and the upcoming EU Data Act [^3][^9].

Future Outlook

The CSF is expected to evolve alongside other EU digital initiatives, including the forthcoming EU Cloud and AI Development Act and the Data Act, which aim to further reduce vendor lock‑in and enhance interoperability [^3]. As more contracts adopt the framework, a market for “sovereign‑by‑design” solutions is likely to expand, encouraging providers to invest in EU‑based hardware, open‑source stacks and transparent supply‑chain documentation. However, analysts caution that achieving full SEAL‑4 across all objectives will require coordinated policy support, incentives for European chip production, and ongoing standard‑setting work [^4][^7].

Conclusion

The EU’s Cloud Sovereignty Framework transforms the abstract goal of digital independence into a concrete, assessable set of criteria. By combining eight sovereignty objectives, a tiered SEAL rating, and an aggregated score, the framework offers public purchasers a transparent tool for selecting cloud services that respect EU strategic, legal and environmental priorities. Early industry responses suggest that while full sovereignty remains challenging, the CSF is already shaping procurement practices and encouraging greater openness and resilience in the European cloud ecosystem. Ongoing refinement and broader adoption will determine whether the framework can truly safeguard European data against geopolitical risks while fostering a competitive, innovative cloud market.

References

[^1]: European Commission (Oct 1 2025). “Cloud Sovereignty Framework” (PDF). European Commission. Retrieved 24 February 2026.
[^2]: InfoQ (Nov 3 2025). “EU’s Cloud Sovereignty SEAL Ranking Forces Governance …”. InfoQ. Retrieved 24 February 2026.
[^3]: Wire (Oct 7 2025). “What Is Cloud Sovereignty? A Guide for European Enterprises”. Wire. Retrieved 24 February 2026.
[^4]: KuppingerCole (Feb 12 2026). “Will the EU’s Cloud Sovereignty Framework Mitigate Geopolitical Cloud Risks?”. KuppingerCole. Retrieved 24 February 2026.
[^5]: CADE (Oct 21 2025). “European Commission introduces Cloud Sovereignty Framework to strengthen data independence”. CADE – Civil Society Alliances for Digital Empowerment. Retrieved 24 February 2026.
[^6]: SUSE (Jan 28 2026). “Stop Guessing Your Compliance: Master the EU Cloud Sovereignty Framework in Minutes”. SUSE Communities. Retrieved 24 February 2026.
[^7]: LinkedIn (Dec 13 2025). “Europe’s Cloud Sovereignty Framework: A Reality Check”. LinkedIn. Retrieved 24 February 2026.
[^8]: Safespring (Feb 19 2026). “The EU just defined Sovereign Cloud, here is our score”. Safespring Blog. Retrieved 24 February 2026.
[^9]: Workday (Nov 19 2025). “Data Sovereignty: From Debate to Design Principle”. Workday Blog. Retrieved 24 February 2026.

Further Reading

Geopolitics illustration with chess figures
Geopolitics drives CIOs into the arms of European cloud providers
Airbus A340
Europe’s cloud challenge: Building an Airbus for the digital age
French Video Conference
Au revoir Microsoft Teams, Zoom

This article was written with the help of AI.

Tagged

Leave a Comment

Your email address will not be published. Required fields are marked *

Schwarz Digits and Sentinel One Partnership
SentinelOne & Schwarz Digits Cooperate on Sovereign Cybersecurity for Europe
Geopolitics illustration with chess figures
Geopolitics drives CIOs into the arms of European cloud providers
Airbus A340
Europe’s cloud challenge: Building an Airbus for the digital age
French Video Conference
Au revoir Microsoft Teams, Zoom
Colored chairs in front of Google office
“Blackmail Potential”: Computer Scientists Against Cloud Cooperation Between BSI and Google
To top