Cloud Sovereignty Framework: when the devil is in the details

Everyone agrees on welcoming the European Union’s initiative to create a common framework for the public cloud market and to promote European providers. But buried in sometimes obscure criteria, the chosen scoring grid could ultimately favor the GAFAMs, cloud operators worry. Bureaucratic nightmare, anyone?

The objectives of this new management tool are clear. As its name suggests, structured around eight goals (strategic, legal, operational sovereignty, as well as data, AI, security, and compliance sovereignty), this framework—published last month—is meant to provide a transparent reference system and align buyers and providers around common criteria and shared semantics to define sovereignty. But, as often happens, the methodology is what sparks debate.
The CISPE, the association of European cloud infrastructure service providers, is concerned.
“Firstly, we do not believe that a single score for sovereignty makes sense—either you are sovereign, or you are not,” says Francisco Mingorance, Secretary General of the CISPE. “Secondly, the weighting of the key aspects that determine true legal sovereignty only represents 10% of the total score. This means that a foreign provider that completely fails in this category can still achieve a high sovereignty rating by scoring well in other areas.”

Fragmentation and confusion

Yet it is precisely within this controversial framework that a first call for tenders worth €180 million over four years has been launched by the European Commission to equip EU institutions. Four suppliers will be selected. The contract is expected to be awarded between next month and February 2026.
“The main risk,” warns Mr. Mingorance, “is that this framework allows procurement teams to claim they are buying sovereign services which, in reality, do not always provide guarantees of immunity against control and access to data by foreign regimes—while that is the very purpose of sovereignty.”
According to him, another risk is that authorities could score candidates differently, leading to fragmentation and confusion over which services are sovereign and which are not.

A burning issue

Clearly, however transparent it claims to be, this new reference model—inspired by Cigref’s trusted cloud initiative, Gaia-X, and European cybersecurity certification frameworks like NIS2 and DORA—is far from unanimous among digital industry players. The reactions are all the more intense because the stakes are high.
“The notion of score prevails over that of level,” laments Servane Augier, Director of Public Affairs at NumSpot, a French sovereign cloud provider. “The document makes overly complex concepts that could have been very simple, since we all end up with different interpretations when we should be aligned.”

Now integrated into European public procurement, this new administrative framework has not appeared this autumn by chance. The tool is intended to replace the EUCS (European Cybersecurity Certification Scheme for Cloud Services), which has been bogged down for years in endless discussions between member states.
“This framework creates confusion and opacity instead of the clarity that customers and providers need,” criticizes Mr. Mingorance. “The criteria are poorly defined, and the allocation of points is too vague.”

Different weightings
“The tool contains interesting ambitions, but ones that drift away from the topic of sovereignty,” continues Ms. Augier. “In the environmental section, for example, we wonder how PUE criteria (power usage effectiveness of data centers) relate to a sovereignty index. Everything is being mixed up. It suggests that a non-sovereign cloud doesn’t need to be sustainable, which would be absurd. Sustainability belongs to other frameworks.”

In this scoring system—designed to measure cloud providers’ sovereignty and guide European public administration procurement—not all criteria carry the same weight. The supply chain counts for 20% of the final score, while environmental sustainability represents only 5%.
“The big players (AWS, Microsoft, or Google) will be able to achieve very high overall scores that minimize the impact of poor results in legal and jurisdictional sovereignty—which only account for 10% of the total score,” notes Mr. Mingorance.

The Shadoks were pumping

In each of the eight categories, candidates receive a score from 0 to 4, a “SEAL” (Sovereignty Effective Assurance Level) meant to certify—or not—the sovereignty of their cloud offering. The overall score is expressed as a percentage. It is then integrated into the tender evaluation grid, alongside the technical, financial, and quality scores. Sovereignty accounts for 15% to 20% of the total evaluation.
“Since they are subject to U.S. laws, the GAFAMs don’t even reach level 1 when it comes to data sovereignty,” observes Ms. Augier. “That settles the matter. So why add an overall score? And why separate the three types of sovereignty—strategic, legal, and operational—when they are inseparable? We’re back to the days of the Shadoks pumping!”

Even though the framework is not legally binding, the European Commission encourages member states to use this “Cloud Sovereignty Score” as a common evaluation grid for their own public procurement, in order to harmonize demand.
Meanwhile, the CISPE says it is working on its own sovereignty label.