Cloud Sovereignty Framework: How the EU will assess cloud sovereignty
With a new assessment system, the EU Commission wants to procure sovereign cloud services. An 8-point catalog defines concrete criteria for the first time.
(Image: heise medien)
The European Commission has presented a detailed assessment system for cloud services and simultaneously announced a procurement initiative worth 180 million euros. The new Cloud Sovereignty Framework is intended to help EU institutions and agencies select cloud services based on uniform sovereignty criteria. With this, Brussels aims to reduce dependence on non-European providers.
The Framework defines concrete metrics for cloud sovereignty for the first time, aiming to replace abstract principles with measurable quantities. At its core are eight sovereignty objectives covering strategic, legal, operational, and technological dimensions. Each objective can be assessed using the Sovereign European Assurance Level (SEAL), a ranking system that classifies cloud providers according to their compliance with EU sovereignty standards.
The eight sovereignty objectives include, among others, control over data locations, protection against extraterritorial law enforcement, supply chain transparency, and technological independence for key components. Particularly relevant is the assessment of the extent to which cloud services are shielded from access by non-EU authorities – a direct response to the US Cloud Act and similar regulations.
SEAL system assesses sovereignty in stages
The SEAL assessment system uses different assurance levels to quantify the degree of sovereignty. Cloud providers must provide evidence that their services comply with the defined criteria. This includes information on company structure, data processing locations, technology used, and potential legal influence by third countries.
The assessment considers both technical and organizational aspects, from where providers store encryption keys, to the origin of hardware components, to legal control over subsidiaries. The supply chain is also scrutinized – CPUs, GPUs, storage components, or network hardware must be checked for their EU origin or guaranteed transparency.
How can companies and authorities break free from their dependence on US hyperscalers, American or Chinese AI providers, and software manufacturers? Experts from politics, business, and academia will discuss this on November 11 and 12 at the IT Summit by heise in Munich. You can find lectures and speakers in the IT Summit program. On the first day of the conference, there will also be a free workshop that will show how open-source solutions can contribute to digital sovereignty and cybersecurity. Book your ticket now.
Impact on the European cloud market
The planned procurement of 180 million euros for sovereign cloud services could have a lasting impact on the European cloud market. At first glance, the framework is intended to benefit European providers, but US hyperscalers could also benefit: Microsoft, Google, and Amazon have already founded European subsidiaries and offer special EU cloud services that are intended to guarantee local data storage.
All these criteria could be easier for established US providers to meet than for smaller European cloud providers, who may not be able to handle all the technological requirements. However, the Commission emphasizes that the assessment of control structures and legal independence, in particular, would favor genuine European providers.
The framework fits into the broader EU digital strategy, which, in addition to the General Data Protection Regulation (GDPR), also includes initiatives such as Gaia-X and the planned Cloud and AI Development Act. While Gaia-X is designed as a federated data infrastructure, the Cloud Sovereignty Framework relies on concrete assessment criteria for public procurement.
Videos by heise
Practical implementation for authorities and companies
EU institutions and agencies should be able to apply the framework immediately in tenders. National authorities and private companies can also use the criteria for their cloud strategy. Compliance will be monitored through regular audits and certification bodies, although details on the enforcement mechanism are still being worked out.
It remains open how the framework relates to existing cloud certification under the European Cybersecurity Act and whether a harmonization of the various assessment systems is planned. For cloud providers, the framework means additional documentation effort if they want to position themselves on the market with demonstrable sovereignty.
(fo)
