In October 2025, the European Commission released version 1.2.1 of its Cloud Sovereignty Framework (CSF). Originally designed as a procurement tool for EU institutions purchasing cloud services, the CSF has quickly evolved into something more consequential: a structured methodology for evaluating cloud providers against eight distinct sovereignty criteria, scored on a five-level scale. Whether you operate a cloud business in Europe, sell into the EU market from abroad, or simply rely on cloud infrastructure hosted by a major provider, this framework deserves your attention.

Below, we outline the key elements of the CSF, the broader regulatory environment it sits within, its first real-world application, and the practical implications for cloud providers and enterprises across jurisdictions.

The Bigger Picture: Europe’s Digital Sovereignty Agenda

The CSF did not emerge in isolation. It is one component of a broader European push toward reducing dependency on non-EU technology providers — a policy direction grounded in the 2024 Draghi report on European competitiveness. That report identified structural reliance on foreign technology as a strategic vulnerability and called for coordinated action. Since then, the European Commission has advanced legislation and policy initiatives along five parallel tracks:

• Industrial and supply-chain resilience: The European Chips Act, the Critical Raw Materials Act, and the Net-Zero Industry Act each target strategic dependencies in hardware and components.
• Cybersecurity and operational resilience: The NIS2 Directive, the Cyber Resilience Act (CRA), and DORA (for financial institutions) impose security obligations on providers of essential and digital services, while the EUCS is being developed as a complementary cloud certification mechanism.
• Data governance and artificial intelligence: The GDPR, the Data Act, the Data Governance Act, and the AI Act collectively regulate how data is processed, shared, and used in automated decision-making across the single market.
• Cloud-specific measures: Beyond the CSF itself, the upcoming Cloud and AI Development Act (CADA) is expected to codify the concept of a “sovereign cloud” in EU legislation, and the EUCS certification scheme will add a technical compliance layer.
• Trade and economic security: Updated dual-use export controls (effective since November 2025) now cover advanced technologies, alongside the Foreign Subsidies Regulation, the FDI screening framework, and the Anti-Coercion Instrument.

Among these tracks, cloud regulation has advanced most rapidly — largely because the Commission was able to act through its own procurement authority. With over €180 million in annual cloud spending by EU institutions, and significant reliance on US-headquartered hyperscale providers, the need for a structured sovereignty assessment was both immediate and concrete.

How the CSF Works: Structure and Scoring

It is important to understand what the CSF is — and what it is not. The framework is not a binding regulation. It becomes legally operative only when incorporated into a specific procurement document. Its design draws on national precedents, including France’s “Cloud de Confiance” / SecNumCloud certification and Germany’s “Souveräner Cloud” / C5 framework.

The CSF evaluates cloud offerings against eight Sovereignty Objectives (SOV-1 through SOV-8). Each objective is scored on a five-level Sovereignty Effective Assurance Level (SEAL) scale, ranging from SEAL-0 (“No Sovereignty”) to SEAL-4 (“Full Digital Sovereignty”). Providers that fall below the minimum SEAL threshold on any single objective are excluded from the procurement. Those that meet the minimum are ranked by a weighted composite score, with the following weightings: Supply Chain (20%), Strategic, Operational, and Technology Autonomy (15% each), Legal, Data, and Security Sovereignty (10% each), and Environmental Sustainability (5%).

This structure means that providers need to perform adequately across all eight dimensions — a high score in one area cannot compensate for falling below the threshold in another.

First Real-World Application: The Cloud III Procurement

The CSF received its first practical test in the Cloud III Dynamic Purchasing System, a six-year, €180 million procurement vehicle for EU institutions awarded on 17 April 2026. The outcomes are instructive for any provider considering the EU market:

• A consortium led by Post Telecom, partnering with CleverCloud, OVHcloud, STACKIT, and Scaleway — each operating its own EU-built technology stack — achieved SEAL-3 (“Digital Resilience”).
• A bid led by Proximus, which leveraged S3NS (a Thales-majority joint venture with Google Cloud) along with other partners running on Google Cloud technology operated by EU companies, received SEAL-2 (“Data Sovereignty”).

How Major Cloud Providers Are Adapting

The sovereignty trend is not going unnoticed by the largest global cloud providers. A central concern for US-headquartered companies is the potential reach of extraterritorial US legislation which can create tension with EU data protection and sovereignty expectations. In response, the major hyperscalers have adopted different strategies:

• AWS has announced a European Sovereign Cloud — a physically and logically separate infrastructure with a dedicated EU-based corporate structure, EU-resident staff, a German parent entity, and all data and metadata remaining within the EU.
• Microsoft offers tiered “Sovereign Cloud” options that allow customers to select different levels of control and operational separation, including partner-operated models such as Delos Cloud (SAP-owned) in Germany.
• Google Cloud has pursued joint-venture partnerships, notably S3NS with Thales in France, in which a European-majority entity operates the service layer while using Google’s underlying cloud technology.

These measures can improve CSF scores by addressing data residency, operational independence, and legal insulation. However, as the Cloud III results demonstrate, the ultimate corporate ownership structure and the geographic origin of core technology continue to be evaluated under the framework — and these factors are harder to restructure.

What This Means for Your Business

Whether you are a cloud provider, a technology vendor, or an enterprise customer relying on cloud services, the CSF has implications worth considering now — even before it hardens into binding legislation:

• For EU-based providers: The framework rewards EU-origin technology stacks, EU corporate structures, and demonstrable operational independence. Providers that can document these attributes across all eight sovereignty objectives are better positioned for EU institutional procurement — and potentially for member-state and private-sector contracts that adopt similar criteria.
• For US- and non-EU-based providers: The framework does not exclude non-EU companies, but it does create structural scoring advantages for providers with EU-resident operations, EU-governed corporate entities, and technology developed within the EU. Providers considering the EU market should assess their current position against the CSF’s eight objectives early, as the structural changes required to improve a sovereignty score — separate corporate entities, EU-based engineering, data residency commitments — take time to implement.
• For enterprise customers: Regulated entities in sectors such as financial services (subject to DORA), essential services (covered by NIS2), and defense may increasingly encounter CSF-style assessments in their own vendor due-diligence processes. Understanding the framework’s structure helps in evaluating provider claims and anticipating future procurement requirements.
• Beyond cloud services: The CSF’s sovereignty criteria may influence procurement and compliance expectations for adjacent offerings, including managed services, professional services, and maintenance contracts — particularly where these involve access to sensitive data or critical infrastructure.

The CSF also appears to be developing a soft-law dimension: cloud providers are already publishing self-assessment scores on their websites, and open-source self-assessment tools have been released. Alignment with the framework’s criteria may become a competitive differentiator in the European market, regardless of whether a specific procurement formally requires it.

Looking Ahead

The CSF is best understood not as a finished product but as a template that will continue to evolve. The upcoming Cloud and AI Development Act (CADA) is expected to incorporate sovereignty concepts into binding EU legislation. The European Cybersecurity Certification Scheme for Cloud Services (EUCS) will add another compliance layer. And member states are likely to align their own procurement frameworks with the CSF’s methodology over time.

For cloud providers and their customers alike, the practical takeaway is straightforward: the EU is building a structured, multi-layered sovereignty assessment regime for digital infrastructure. Early engagement with the CSF’s criteria — understanding where your organization stands, identifying gaps, and planning for structural adjustments — is the most effective way to stay ahead of a regulatory landscape that is moving quickly.

This article is provided for informational purposes only and does not constitute legal advice. The regulatory landscape described is subject to change. For guidance specific to your situation, please contact us directly.