The EU's Cloud Sovereignty Framework
In October 2025, the European Commission's DG DIGIT published v1.2.1 of the Cloud Sovereignty Framework — a procurement instrument that, for the first time, gives buyers in EU institutions a common, scoreable definition of what “sovereign cloud” actually means. The framework is built around two pieces: eight Sovereignty Objectives (SOV) with weighted scores, and a five-level Sovereignty Effectiveness Assurance scale (SEAL).
The mechanics matter. A tender specifies a minimum SEAL level; any provider scoring below that level is rejected outright, regardless of price. That turns sovereignty from a marketing slogan into a hard gate on access to EU public-sector contracts — and it makes the underlying objectives worth understanding in detail.
The eight Sovereignty Objectives
Each objective is scored independently and contributes to an overall sovereignty rating. Note that SOV-5 Supply Chain carries the heaviest weight at 20% — a clear signal that the Commission considers hardware origin and firmware provenance the single biggest sovereignty risk in cloud procurement today.
| ID | Sovereignty Objective | Focus | Weight |
|---|---|---|---|
| SOV-1 | Strategic Sovereignty | EU ownership, governance, financing & investment | 15% |
| SOV-2 | Legal & Jurisdictional | EU law applicability; exposure to CLOUD Act, Chinese CSL | 10% |
| SOV-3 | Data & AI Sovereignty | Customer-controlled encryption, EU-only processing, AI autonomy | 10% |
| SOV-4 | Operational Sovereignty | EU talent, support, migration freedom, source code access | 15% |
| SOV-5 | Supply Chain Sovereignty | Hardware origin, firmware provenance, EU vendor dependency | 20% |
| SOV-6 | Technology Sovereignty | Open standards, open source, non-proprietary APIs | 15% |
| SOV-7 | Security & Compliance | EU-based SOC, GDPR/NIS2/DORA, independent audits | 10% |
| SOV-8 | Environmental Sustainability | Energy efficiency, carbon transparency, circular economy | 5% |
SEAL — Sovereignty Effectiveness Assurance Levels
SEAL collapses the SOV scoring into a single, comparable label from SEAL-0 (none) to SEAL-4 (full). The bands are deliberately strict: even SEAL-3 still permits “marginal control by non-EU third parties”.
| Level | Name | Description |
|---|---|---|
| SEAL-0 | No Sovereignty | Service, technology or operations under exclusive control of non-EU third parties, governed entirely in non-EU jurisdictions. |
| SEAL-1 | Jurisdictional Sovereignty | EU law formally applies with limited practical enforceability; service under exclusive control of non-EU third parties. |
| SEAL-2 | Data Sovereignty | EU law applicable and enforceable, with material non-EU dependencies remaining; service under indirect control of non-EU third parties. |
| SEAL-3 | Digital Resilience | EU law applicable and enforceable; EU actors exercising meaningful but not full influence; marginal control by non-EU third parties. |
| SEAL-4 | Full Digital Sovereignty | Technology and operations under complete EU control, subject only to EU law, with no critical non-EU dependencies. |
Source: European Commission DG DIGIT — Cloud Sovereignty Framework v1.2.1, Oct. 2025 (PDF, English)
What this means in practice
The framework reframes the sovereignty conversation. It is no longer enough to host data in an EU region: the question is who owns the operator, where the silicon was made, whose firmware sits beneath the hypervisor, and which jurisdictions can compel disclosure. For operators of email, collaboration, and storage services targeting EU customers, the message is simple — building on Free Software and EU-controlled infrastructure is no longer a philosophical choice; it is the cheapest path to a procurement-eligible SEAL rating.