The EU Cloud Sovereignty Framework Sets a New Benchmark - for Everyone

On 1 June 2026, the European Commission published a detailed explanation of the Cloud Sovereignty Framework - the scoring system it had used, two months earlier, to award €180 million in cloud contracts to European providers. Most coverage focused on who won. The more significant development is what the framework itself represents: for the first time, "cloud sovereignty" has a definition precise enough to be scored, ranked, and used as a procurement filter.

That precision matters beyond public institutions. In regulated industries, a formal tool that answers "how sovereign is this cloud service?" becomes a reference point long before it becomes a legal requirement.

What the Framework Actually Measures

The framework organises its assessment around two mechanisms. The first is a Sovereignty Effectiveness Assurance Level, or SEAL, which assigns providers to one of three tiers: SEAL-2 (data sovereignty - the service complies with EU law and data stays within EU jurisdiction), SEAL-3 (digital resilience - the service is immune from supply chain disruption by non-EU third parties), and SEAL-4 (full sovereignty - maximum autonomy from any external dependency). The second mechanism is an overall sovereignty score calculated across 48 specific criteria, grouped into eight categories covering strategic, legal and jurisdictional, data and AI, operational, supply chain, technological, security and compliance, and environmental sustainability dimensions.

The question each criterion is trying to answer is the same throughout: does EU law govern this component, or could a foreign government compel the provider to act against a European customer's interests? That framing - jurisdiction, not geography - is why a cloud provider running servers in Frankfurt can still fail to reach SEAL-3. Server location is one criterion. Legal exposure is another.

The April 2026 Tender and What It Revealed

The framework's first real-world test was the Cloud III Dynamic Purchasing System tender, which awarded €180 million in contracts to four providers in April 2026. Post Telecom (with OVHcloud and CleverCloud), STACKIT, and Scaleway each reached SEAL-3. A fourth consortium led by Proximus, with S3NS and Mistral, reached SEAL-2 - the minimum required to qualify.

The S3NS result became an immediate test case for the framework's limits. S3NS is a joint venture between Thales and Google Cloud, and its SEAL-2 result reflects a structural constraint: the 2018 US CLOUD Act requires American companies to comply with US government data requests regardless of where data is stored, which makes SEAL-3-level independence from non-EU supply chains impossible for any US-linked provider to demonstrate. CISPE, the European cloud industry association, described the inclusion of S3NS as "sovereignty washing" - a term that captures what the framework is now equipped to detect. The distinction is not about branding or partial European ownership; it is about whether legal and operational control can be demonstrated under audit.

The tender confirmed that SEAL-3 is attainable today with existing European providers. OVHcloud, STACKIT, and Scaleway are production services that passed the full 48-criterion assessment. The S3NS result marks where the framework's line falls: not at server location or European branding, but at the legal jurisdiction governing the provider's operations.

The Cloud and AI Development Act Would Extend This Logic

The Cloud Sovereignty Framework was designed for EU institution procurement. A broader proposal published on 3 June 2026 would change that scope considerably. The Cloud and AI Development Act (CADA) would require public authorities across all 27 member states to carry out sovereignty risk assessments before signing cloud and AI contracts. The affected scope covers government agencies, healthcare providers, and critical infrastructure operators handling data of 500,000 or more EU residents or contracts above €10 million.

The CADA's four assurance tiers map directly onto the SEAL framework. At the most sensitive tier - covering critical government systems - US hyperscalers would be structurally excluded, not by policy targeting but because CLOUD Act exposure makes it impossible for any US company to demonstrate the level of operational independence the highest tiers require. For AWS, Azure, and Google Cloud, that is not a gap they can close by building more European data centres. The legal architecture is the constraint.

CADA is a legislative proposal, not law yet. Negotiations between the European Parliament, the Council, and the Commission are expected to conclude by Q4 2026, with rules taking effect 18 months after adoption - putting full compliance requirements at approximately mid-2028. Timelines in EU legislative processes shift, and the final text will differ from the draft. What is already clear is the direction: the Commission is moving the framework from a procurement tool for its own institutions toward a standard that applies across Europe's most sensitive public-sector contracts.

Why Regulated Private-Sector Organizations Are Watching

The framework does not currently apply to private companies, and CADA would not change that directly. But in regulated industries - healthcare, financial services, manufacturing - the line between regulatory obligation and commercial expectation has never been crisp. When the public sector adopts a formal scoring tool, that tool becomes the vocabulary used by auditors, customers, and DPOs well before any mandate arrives.

This is visible in procurement decisions already being made. European sovereign cloud spending grew 83% year-on-year in 2026, ahead of any legal deadline. Organizations in regulated industries are making these decisions because contracts, insurers, and customers are pulling them in this direction - not because a regulation has already arrived and given them no choice.

The framework's most practical use for a private-sector organization is as a scoping tool rather than a compliance checklist. The 48 criteria do not need to be answered for every workload. The useful question is: which of our systems process data in ways where SEAL-2 or SEAL-3 would be required if we were a public body? That question identifies the workloads where European cloud is worth evaluating seriously and separates them from the workloads where the current setup carries no meaningful sovereignty risk.

The Gap That Still Needs Addressing

European providers reaching SEAL-3 is significant. It was not obvious three years ago that the supply side would be ready. But US providers still control over 70% of the EU cloud market, with European providers holding approximately 15%. The difference is not primarily about sovereignty credentials - it is service breadth: managed AI tooling, developer ecosystems, global availability zones, depth of platform services. The framework does not close that gap; it clarifies which workloads genuinely need to move and which can legitimately stay on US infrastructure at SEAL-2.

The practical implication is that most organizations will not face a binary choice. General productivity software, development tooling, and non-sensitive data processing may reasonably stay where they are at SEAL-2, while patient records, financial transaction data, and operational systems move to European providers that can demonstrate digital resilience. Making that distinction honestly requires working through the 48 criteria against actual workloads - which is where the framework becomes a useful map rather than an abstract policy document.

The €120 billion in combined public-private investment that analysts estimate the EU needs by 2035 to close the sovereignty gap reflects the scale of what remains. But the framework gives European organizations something useful now: a common language for a conversation that has, until April 2026, been difficult to have precisely.

Thinking about migration? Book a free consultation to discuss your situation.