The debate around cloud sovereignty has reignited in Brussels. The European umbrella organization for cloud infrastructure providers, CISPE, has published a strongly critical position regarding the new EU Cloud Sovereignty Framework set out by the European Commission. Their stance is clear: “a cloud service is either sovereign or it is not”; there is no such thing as a “75% sovereign” service, just as a food product cannot be “75% organic.” They argue that the framework introduces a sovereignty scoring system that blends unattainable criteria with vague ones and opens the door to “number fixing” without ensuring real control, which could favor large foreign hyperscalers and maintain the status quo under the guise of “sovereignty.”
What does the new European Commission framework say?
The Cloud Sovereignty Framework is primarily an assessment tool that the Commission links to its public procurement process. According to the EU executive, the framework measures provider performance based on eight sovereignty objectives (strategic, legal, operational, environmental, supply chain transparency, technological openness, security, and compliance), using a scoring methodology that would allow comparisons in tenders like those under the Cloud III DPS. The document notes references to frameworks such as Gaia-X, CIGREF, ENISA/NIS2, and DORA. Its declared goal: contract more independent services aligned with European laws, using uniform criteria.
Why does CISPE believe the “score” causes more confusion than clarity?
For CISPE, averaging scores and mixing impossible criteria (like European control over each hardware component) with vaguerities (“guarantees against control changes”) leads to opacity that hides uncomfortable realities. They also warn of a perverse effect: many European providers — including SMEs — might score lower than large global providers, distorting competition under the guise of “statistical” sovereignty that is not genuinely effective. Remember, sovereignty is binary and territorial: either European control and immunity from external interference can be guaranteed, or they cannot. At the same time, sovereignty should not be the only choice in the market: organizations with global needs demand other clear but differentiated categories.
The benchmark: Gaia-X Level 3
CISPE suggests that Europe already has a comparable “eco-label” in Gaia-X Level 3, which sets the highest standard for data protection, security, transparency, European control, and resilience, with service located in Europe and reinforced requirements—such as compliance with high-level European cybersecurity schemes from ENISA—to reduce the risk of non-European access. As a starting point, Level 3 would serve to identify fully sovereign services and provide third-party verification (CAB) to avoid ambiguity.
The catalog and the new labels proposed by CISPE
To address the multinational reality of many supply chains, CISPE announces two complementary labels in its Cloud Services Catalogue:
- Sovereign Cloud (based on Gaia-X Level 3), which guarantees total immunity from foreign interference and 100% European control over the service.
- Operationally Resilient Cloud, aimed at clients operating outside Europe who need verifiable levels of operational and legal control over their data beyond European borders.
The idea is to provide real transparency: clearly distinguish between full sovereignty and operational resilience in global environments, without diluting concepts. Meanwhile, CISPE frames these initiatives within its Sovereign Cloud Manifesto (due July 2025), which calls for practical rules that support competitive and secure European options.
The political and regulatory context matters
The debate is not happening in a vacuum. In 2024, the EU relaxed some sovereignty requirements in drafts of the cloud cybersecurity certification scheme (EUCS), such as mandates for joint ventures or strict jurisdiction controls. This decision favored the entry of non-European providers into sensitive contracts, according to industry sources. Major European companies—like Deutsche Telekom or Airbus—criticized this shift, warning about the risks of extraterritorial laws like the U.S. Cloud Act. In 2025, the launch of assessment frameworks with “sovereignty scores” rekindles the debate: Are these helping Europe gain independence or just offering a complacent snapshot without addressing the core issues?
What’s at stake for the public sector (and who benefits from each approach)
For a government body needing clarity in procurement, a binary label such as “sovereign / non-sovereign” can be clearer than a composite score: it reduces interpretation and simplifies subsequent oversight. If the framework relies on third-party verifiable labels (like Gaia-X Level 3 for sovereignty), the risk of cosmetic compliance diminishes. Conversely, a system of weights might reward broad investments or commitments without ensuring jurisdictional control or immunity from interference—which are critical for sensitive sectors like health, justice, defense, and taxation.
However, the Commission emphasizes that its framework harmonizes criteria and accelerates procurement of services compliant with European laws. The core issue is not objectives: more autonomy and less dependence— but methods: aggregated metrics versus labels with strict thresholds. This tension largely shapes the competitive landscape: European providers advocate for clear, achievable rules that value their territorial control; hyperscalers deploy “sovereign” offers (e.g., announcing exclusive EU personnel operation and technical separation) to adapt.
A practical guide for CIOs and CISOs
Beyond the political debate, the technology leader needs actionable criteria:
- Set the threshold: if the use case demands strict sovereignty, require Gaia-X Level 3 accreditation or a seal that guarantees 100% European control (data, operations, support, jurisdiction).
- Trace the chain: demand transparency from sub-processors and data routes, including telemetry and support scenarios.
- Assess applicable laws: request legal opinions on extraterritoriality (like the Cloud Act) and effective technical measures (encryption with EU key management and operational separation).
- Avoid “box-ticking”: prefer verified labels and audits over vague promises.
- Develop an exit plan: ensure portability and reversibility with verifiable SLAs.
With this approach, a city hall, hospital, or industrial company can consciously choose between a sovereign service—when regulations and risks require it—or a resilient, global option—when the business demands it—without confusing the categories.
Where could the European framework evolve?
The implementation of the Cloud Sovereignty Framework in actual tenders will reveal whether the sovereignty scoring introduces transparency or, as CISPE fears, opacity. A reasonable pathway to convergence might involve linking the higher levels of the score to strict, verifiable labels (like Gaia-X Level 3), while maintaining intermediate levels for global scenarios—with operational and legal guarantees—that do not promise sovereignty but do ensure verifiable controls and mitigation measures.
Meanwhile, competitive pressures will continue to grow. Hyperscalers announce European sovereign offers with technical and organizational separation; European providers request that public procurement not disincentivize local options by demanding the impossible in some areas and easing restrictions in others. There is consensus, however, that in an increasingly cloud-first economy and an AI landscape that amplifies the value of data, governance—who can see, handle, or request access—is strategic for Europe.
Frequently Asked Questions
What is the difference between “Sovereign Cloud” and “Operationally Resilient Cloud” according to CISPE’s proposal?
Sovereign Cloud aims for total immunity from foreign interference and 100% European control of the service (data, operations, support, jurisdiction), referencing Gaia-X Level 3. Operationally Resilient Cloud is designed for global operations: it does not promise strict sovereignty but verifiable levels of operational and legal control over data outside Europe.
What does Gaia-X Level 3 practically require of a cloud provider?
Level 3 targets the highest standard for data protection, security, transparency, portability, and European control, with location in Europe, compliance with high-level European cybersecurity schemes from ENISA, and third-party certification (CAB). Its goal is to shield the service from non-European access and vendor lock-in.
Why does CISPE criticize the Commission’s “sovereignty score”?
Because, according to the association, it averages heterogeneous criteria—some unattainable, others vague—and allows result manipulation, so the actual value of “sovereign” becomes diluted. They call for clear and verifiable labels instead of confusing aggregate scores.
How does this debate relate to EU’s changes in the cybersecurity scheme (EUCS) and public procurement?
EUCS revisions in 2024 relaxed sovereignty requirements, causing sectoral division. In 2025, the Commission promotes public procurement with a sovereignty scoring framework. The practical outcome will depend on how criteria are applied and the weighting given to strict labels versus averages, especially in critical sectors.
via: cispe.cloud