A cloud service is either sovereign or it’s not – just as food is either organic or it’s not. You can’t be 75% organic, and you shouldn’t be 75% sovereign either. Yet that’s exactly the confusion created by the European Commission’s new EU Cloud Sovereignty Framework.
Rather than bringing clarity, the Framework muddies the waters by introducing a murky “sovereignty score” that averages the impossible with the irrelevant. It mixes unattainable goals – such as full EU control over every hardware component – with vague ideas like “assurances against change of control.” By creating an average of weighted averages, it moves even further from transparency and leaves ample room to hide inconvenient truths.
In practice, most European cloud service providers are likely to score lower than foreign hyperscalers under this system – perhaps that’s the idea – preserving the status quo under a cloak of “sovereignty.” The message seems to be: can’t comply with European ownership and control requirements? Never mind – make up the numbers through investment or participation in EU schemes.
Of course, sovereign – like organic – isn’t and should not be the only option. You can still choose free-range, grass-fed, or local products that don’t qualify for the organic label. The same applies to cloud: some organisations need control beyond a single geography, especially since sovereignty is inherently tied to specific nations or regions.
Europe already has the “organic” sovereign benchmark in Gaia-X Level 3 – a label that CISPE is activating through its Cloud Services Catalogue, helping customers easily find compliant services. But this must evolve to reflect today’s global reality, extending recognition to European providers – including SMEs – that deliver trusted cloud services beyond Europe.
We are going further by developing labels that clearly distinguish Sovereign Cloud and Operationally Resilient Cloud services — providing the transparency missing from the EU’s so-called “sovereign” procurement framework. The former builds on Gaia-X Level 3 to guarantee complete immunity from foreign interference and 100% European control. The latter offers customers – especially those in global supply chains – verifiable levels of operational and legal control over their data, even outside Europe.
Sovereignty is a critical issue in today’s cloud-first and tomorrow’s AI-driven economy. Public and private customers alike must be able to assess, clearly and confidently, the level of control they have – or are willing to accept – when they entrust their data to a cloud service. The current version EU Cloud Sovereignty Framework fails to deliver that clarity.