European Commission - A Cloud Sovereignty Framework for strategic procurement

In its Cloud Sovereignty Framework, the European Commission introduces a structured methodology for measuring and operationalising digital sovereignty in the procurement of cloud services. By building on existing European initiatives (including CIGREF's Trusted Cloud Referential, Gaia-X policy rules, and the European Cybersecurity Certification Framework), the document translates an inherently political concept into eight concrete, scorable objectives. In April 2026, the framework was applied in practice: the Commission awarded a sovereign cloud contract worth up to €180 million over six years to four European providers. It marks the first time EU institutions have subjected cloud procurement to explicit sovereignty criteria.

Digital sovereignty has been a persistent reference in European technology policy discourse for some years. The concept has appeared in Commission communications, national cloud strategies, and Gaia-X policy documents, often as an aspirational goal without settled operational meaning. The Cloud Sovereignty Framework, developed by the Directorate-General for Digital Services, represents an attempt to close this gap. The document does not merely describe sovereignty, it structures it into an assessment instrument applicable within public procurement procedures.

The framework draws explicitly on French and German national cloud strategies:  "Cloud de Confiance" and "Souveräner Cloud" respectively; as well as international practices in export controls and supply chain resilience. The ambition is to provide public institutions not only with a vocabulary for sovereignty, but with a methodology that generates comparable, defensible results when selecting cloud service providers.

Eight sovereignty objectives

The framework structures digital sovereignty across eight distinct objectives (SOV-1 through SOV-8), each carrying a defined set of contributing factors against which tenderers are assessed. The distribution of scoring weights reflects the Commission's interpretation of where sovereignty risk is most concentrated.

Supply chain sovereignty (SOV-5) carries the highest weight at 20%. It reflects the Commission's view that control over hardware provenance, firmware origin, and software architecture represents the most critical and least substitutable dimension of sovereignty risk. Legal and security objectives carry relatively lower scoring weights (10% each) precisely because the procurement procedure already embeds significant safeguards in those domains through baseline contractual requirements.

Sovereignty effectiveness assurance levels (SEAL)

For each of the eight objectives, tenderers are assigned a Sovereignty Effectiveness Assurance Level (SEAL), ranging from SEAL-0 to SEAL-4. These levels function both as a minimum threshold for eligibility and as an award criterion contributing to an overall Sovereignty Score.

SEAL-2 (Data Sovereignty) was set as the minimum eligibility threshold for the Commission’s own tender. At this level, EU law is applicable and enforceable, though material non-EU dependencies may remain. SEAL-4, by contrast, requires that technology and operations fall entirely under EU control, with no critical non-EU dependencies — a standard that presupposes a complete European supply chain from chip to software layer.

In April 2026, the Commission announced the results of its Sovereign Cloud tender, the first procurement procedure to apply the framework in practice. Four contracts were awarded, explicitly structured to ensure diversification and avoid single-provider dependency. 

Three of the four awarded consortia reached SEAL-3, indicating that their services, technologies and operations are broadly immune from supply chain disruption by non-EU third parties. The Belgian-led Proximus consortium, which leverages Google Cloud technology operated exclusively by EU companies through the S3NS joint venture (a partnership between Thales and Google Cloud), reached SEAL-2. This result is notable: it confirms that non-European underlying technology can satisfy minimum sovereignty requirements when operated within a sufficiently controlled EU framework. This is a nuanced position that departs from a purely origin-based conception of sovereignty.

The Cloud Sovereignty Framework represents a meaningful evolution from the principle-to-practice gap that has historically characterised EU digital sovereignty discourse. Several dimensions merit particular attention from a governance and policy research perspective.

First, the framework performs a translation function: it converts a normative and inherently contested concept (sovereignty) into a structured assessment instrument. The SEAL ladder and the weighted scoring formula are not neutral technical choices; they embody specific assumptions about what sovereignty means and where its risk is concentrated. The decision to weight supply chain dimensions most heavily (20%) while downweighting legal jurisdiction (10%) reflects a particular reading of where EU actors are most exposed, one that privileges physical and operational control over formal legal enforceability.

Second, the framework explicitly acknowledges the legitimacy of hybrid architectures. The inclusion of Proximus/S3NS, a model built on non-EU technology governed through EU-controlled operations, indicates that the Commission pursues a pragmatic position, but it also raises persistent questions about the resilience of operational sovereignty in the absence of underlying technological sovereignty: if a non-EU vendor withdraws support, can EU-operated wrappers sustain continuity?

Third, the framework functions simultaneously as a procurement tool and as a market-shaping instrument. By publishing clear criteria and announcing that SEAL levels will be applied more broadly to Commission digital services, the Commission signals to the cloud industry what it must demonstrate to compete for EU institutional contracts. This has the potential to nudge market behaviour toward investment in EU-controlled infrastructure. Though, whether the addressable market is large enough to generate that effect at scale remains an open question.

Finally, the inclusion of environmental sustainability (SOV-8) as a sovereignty dimension (weighted at only 5%) is conceptually significant. It suggests that long-term resilience, not merely jurisdictional isolation, is part of the sovereignty logic. Energy dependency and raw material scarcity are framed as sovereignty risks alongside foreign legal exposure, a broadening of the concept that connects digital governance to the EU's wider industrial strategy.

Proximus is the only Belgian actor awarded a contract under the Sovereign Cloud tender. It leads a cross-border consortium with French and Luxembourgish partners and reached SEAL-2, the minimum eligibility threshold. The award of the Sovereign Cloud contract to a Proximus-led consortium demonstrates that Belgian digital infrastructure actors can participate meaningfully in European sovereignty-driven procurement. It also exposes a structural tension: the consortium's SEAL-2 rating, as opposed to the SEAL-3 reached by French and German providers, reflects the degree to which Belgian cloud capacity remains dependent on non-EU underlying technology. The architecture of the Proximus consortium (built around Google Cloud infrastructure operated by EU entities) is a commercially viable model, but it also signals that Belgium has not yet developed, or chosen to anchor, a natively sovereign cloud stack of its own.

Finally, for Belgian organisations operating in regulated sectors (financial services, healthcare, public administration), the framework's articulation of legal and jurisdictional sovereignty (SOV-2) provides a useful reference point. Questions about exposure to the US CLOUD Act, the enforceability of GDPR rights, and the location of data processing are not new, but the SEAL framework gives them a structured vocabulary that can be used in procurement and compliance contexts. The AI Act and DORA have already sharpened expectations around data governance in these sectors; the Sovereign Cloud Framework adds a further layer of accountability that procurement officers and legal teams in Belgium will need to incorporate into their due diligence processes.

The April 2026 award marks a beginning rather than a conclusion. The Commission has indicated it will apply the sovereignty criteria developed for this tender more broadly, extending the SEAL assessment logic to the full range of digital services it provides to its own departments and to other Union entities. A revised version of the Cloud Sovereignty Framework is also forthcoming, incorporating lessons learned from the first procurement cycle. Crucially, the Commission has signalled that the framework is not intended to remain an internal instrument: all organisations wishing to adopt the approach are invited to do so, positioning the SEAL methodology as a potential reference standard for sovereign cloud procurement across the European public sector. 

Frederic Heymans