Sharp criticism of the EU framework for cloud sovereignty
The European cloud provider association CISPE accuses the EU of causing confusion with its new sovereignty framework and favoring US providers.
(Image: heise medien)
The industry association CISPE (Cloud Infrastructure Services Providers in Europe) is sharply criticizing the new EU Cloud Sovereignty Framework. In its current form, the framework does not create clarity, but rather dilutes the concept of cloud sovereignty through an imprecise rating system.
The core of the criticism is the "Sovereignty Score" introduced by the framework, which makes cloud sovereignty assessable and also gradable. CISPE draws a comparison to organic food: "A cloud service is either sovereign or it is not – just as food is either organic or not. There can be no 75 percent organic, and there should be no 75 percent sovereign." The scoring system mixes unattainable goals such as complete EU control over every hardware component with vague concepts such as "safeguards against changes in control."
Particularly explosive: CISPE fears that European cloud providers will perform worse under this system than US hyperscalers. The association even suspects a system behind it – the framework could preserve the status quo under the guise of sovereignty. The implicit message is: those who cannot meet European ownership and control requirements can compensate for the score through investments or participation in EU programs.
Videos by heise
The Alternative: Gaia-X Level 3
As an alternative, CISPE refers to the existing Gaia-X Level 3 label – completely immune to external influences and 100 percent under European control. Furthermore, CISPE is developing its own labels that clearly distinguish between "Sovereign Cloud" and "Operationally Resilient Cloud." The former are based on Gaia-X Level 3; the latter offers customers in global supply chains verifiable levels of control over their data, even outside Europe.
In its statement, CISPE emphasizes the critical importance of clear sovereignty definitions in an "increasingly AI-driven economy." Public and private customers must be able to clearly assess what level of control they receive when entrusting their data to cloud services – or are willing to accept. The current EU Cloud Sovereignty Framework does not provide this clarity.
(fo)
