Comparing the European Commission's Cloud Sovereignty Framework with the EuroStack Proposal
2025-10-20
The European Commission has published its "Cloud Sovereignty Framework," a detailed set of criteria designed to assess and score the sovereignty level of cloud services procured by EU institutions. This new framework echoes the white paper that the EuroStack industry initiative published just weeks prior, titled "A Proposed Framework for a 'Buy European' Regulation of Strategic Digital Procurement."
An analysis of their detailed criteria reveals a striking convergence. Both frameworks are built on an almost identical understanding of the core technical, legal, and operational components required for true sovereignty. They identify the same risks—from foreign legal overreach to technological lock-in—and often propose similar technical safeguards.
The main divergence, therefore, is not in the definition of sovereignty, but in the methodology and political philosophy for achieving it. The Commission's framework operates on two levels: a set of high-level Sovereignty Effectiveness Assurance Levels (SEALs), which act as a minimum entry requirement for a given tender, and a detailed Sovereignty Score (SOV) used for the competitive evaluation. The EuroStack proposal argues for a sequential, gated approach where jurisdictional control is a non-negotiable security prerequisite, aiming to build a protected industrial base.
It is therefore not clear at this point how "sovereignty-washing" initiatives—where non-EU providers market tailored solutions as "sovereign"—will fare against the EC's framework. Their ability to participate will depend on the minimum SEAL level chosen by the contracting authority, and their ability to win will depend on the practical effectiveness of the SOV weighting system.
The following slide-by-slide comparison breaks down these two frameworks, examining their criteria on a thematic basis to highlight both their profound similarities in substance and their critical differences in application.
(Diagram published by the Commission on Linkedin)
Comparing the Two Frameworks
1. Corporate Control & Legal Jurisdiction (The Gatekeeper)
| European Commission Criteria | EuroStack Criteria | Analysis of Convergence, Divergence, and Thresholds |
|---|---|---|
| Minimum Threshold (SEAL): - A tender will specify a minimum SEAL level (e.g., SEAL-2: 'Data Sovereignty'), which acts as the entry requirement. The SEALs themselves are high-level and vague. Competitive Score (SOV): - SOV-1 & SOV-2 assess the "degree of exposure to non-EU laws." |
Dimension I (Jurisdiction & Governance): - This dimension is a mandatory, pass/fail prerequisite. - Its criteria are precise and auditable (e.g., Ultimate Parent Entity location, >50% voting rights). |
Convergence: Both frameworks identify the identical risk: the provider's ultimate legal accountability. Divergence & Thresholds: The divergence is fundamental. • EC Threshold: A flexible, tender-specific, and vaguely defined gate (the SEAL). A low SEAL (e.g., SEAL-2, which allows for "material non-EU dependencies") would explicitly permit providers with non-EU parents to participate. • EuroStack Threshold: A fixed, non-negotiable, and precisely defined gate. A provider failing these criteria is immediately disqualified. |
2. Technology & Openness (The Antidote to Lock-in)
| European Commission Criteria | EuroStack Criteria | Analysis of Convergence, Divergence, and Thresholds |
|---|---|---|
| SOV-6 (Technology Sovereignty): - Contributing Factor: "Whether software is accessible under open licenses, with rights to audit, modify, and redistribute..." - Contributing Factor: "Ability to integrate... through well-documented and non-proprietary APIs..." |
Dimension II (Technical Sovereignty): - This is a scored dimension for providers who passed the Dimension I gate. - Criterion 2.1: To earn points, the service must be built on Open Source Software. - Criterion 2.3: To earn points, the service must be designed for Operational Reversibility. |
Convergence: The substance is highly convergent. The EC's detailed description for earning points is effectively the definition of Open Source, making it functionally identical to EuroStack's criterion. Divergence & Thresholds: EuroStack's standard to earn points is more demanding. • It introduces Operational Reversibility—the ability for a third party to take over the service's operation. This is the ultimate safeguard against lock-in and a much higher standard than simply having open APIs. |
3. Data Control & Protection (Securing the Asset)
| European Commission Criteria | EuroStack Criteria | Analysis of Convergence, Divergence, and Thresholds |
|---|---|---|
| SOV-3 (Data & AI Sovereignty): - Contributing Factor: "Ensuring that only the customer... has effective control over cryptographic access to their data." - Contributing Factor: "Strict confinement of storage and processing to European jurisdictions..." |
Dimension IV (Data Sovereignty): - This is a scored dimension. - Criterion 4.2: To earn points, the provider must use measures to make it "cryptographically impossible" for them to access unencrypted data. - Criterion 4.1: To earn points, ALL data (including metadata, backups, and logs) must be stored/processed in the EU. |
Convergence: Both frameworks share the same fundamental goals: customer-held keys and exclusive EU data residency. Divergence & Thresholds: EuroStack's criteria to earn points are more explicit and stringent. • The "cryptographically impossible" standard is a more absolute technical bar than "effective control." • Specifying "metadata, backups, and logs" closes common legal and technical loopholes, setting a higher bar for data residency. |
4. Operational Control & Personnel (The Human Factor)
| European Commission Criteria | EuroStack Criteria | Analysis of Convergence, Divergence, and Thresholds |
|---|---|---|
| SOV-4 (Operational Sovereignty): - Contributing Factor: "Assurance that operational support is delivered from within the EU and subject exclusively to EU legal frameworks." - Contributing Factor: "Security Operations Centres... operating exclusively under EU jurisdiction." |
Dimension III (Operational Sovereignty): - This is a scored dimension. - Criterion 3.1: To earn points, the "operational control plane" must be located and operated in the EU. - Criterion 3.2: To earn points, "100% of personnel with privileged access" must meet the "human firewall" criteria. |
Convergence: Both agree that privileged operations and staff must be firewalled within the EU. Divergence & Thresholds: EuroStack's criteria to earn points are more technically specific and quantitative. • It explicitly identifies the "control plane" (the cloud management software) as a critical component that must be in the EU. • The "100%" rule for privileged personnel is a hard, auditable, quantitative test, which is more precise than the EC's qualitative assessment. |
5. Economic Contribution & Value Creation (The EU Benefit)
| European Commission Criteria | EuroStack Criteria | Analysis of Convergence, Divergence, and Thresholds |
|---|---|---|
| SOV-1 (Strategic Sovereignty): - Contributing Factor: "Extent of investment, jobs, and value creation within EU." |
Dimension V (Economic Sovereignty): - This is a scored dimension, used as a final-stage differentiator or tie-breaker. - Criterion 5.1: To earn points, the majority (>50%) of global R&D expenditure and personnel for the core technology must be in the EU. |
Convergence: Both frameworks see contribution to the EU economy as a relevant factor. Divergence & Thresholds: The divergence lies in the hierarchy and quantifiability of the criterion. • Hierarchy: The EC integrates this into its overall score from the start. EuroStack reserves it for the end, to decide between otherwise qualified providers. • Quantifiability: EuroStack's ">50% of global R&D" is a hard, quantitative test to earn points, whereas the EC's is a more qualitative assessment of "extent." |
6. "Security & Compliance" and "Environmental Sustainability"
| Criteria in the EC Framework | Rationale for Inclusion (EC Framework) | Rationale for Exclusion (EuroStack Framework) |
|---|---|---|
| SOV-7: Security & Compliance Sovereignty | Part of a Holistic View of Trust: For the Commission, a provider's ability to demonstrate deep integration with the EU's legal and operational security fabric (GDPR, NIS2, DORA) is a key component of its trustworthiness and resilience within the EU ecosystem. It is treated as a measurable aspect of sovereignty. | Considered "Table Stakes," Not a Sovereignty Differentiator: The EuroStack proposal considers robust security and compliance as a baseline requirement for any professional cloud provider, regardless of origin. A non-EU provider can be perfectly secure and compliant but still be subject to foreign laws. Therefore, these factors are not seen as measures of geopolitical sovereignty itself. |
| SOV-8: Environmental Sustainability | Part of Long-Term Strategic Autonomy: This aligns with the EU's broader strategic goals, including the Green Deal. The Commission views long-term resilience as being linked to resource independence, including energy and raw materials. A sustainable provider is seen as more autonomous and resilient in the long run. | Outside the Scope of the Geopolitical Threat: The EuroStack framework is narrowly focused on addressing the immediate security threat of foreign legal control and technological dependency. While important, environmental sustainability is considered a separate policy area and outside the scope of the "essential security interests" argument that underpins the proposal. |
The Unanswered Question: Will the EC Framework Prevent "Sovereignty-Washing"?
A critical point of uncertainty remains. The effectiveness of the European Commission's framework against sophisticated "sovereignty-washing" initiatives is yet to be proven and depends on a two-part mechanism.
-
The Choice of Minimum Threshold (SEAL): The first decisive factor is the minimum SEAL level a contracting authority chooses for a tender. If a low level like SEAL-2 ("Data Sovereignty") is chosen—which explicitly allows for "material non-EU dependencies"—the framework by design creates a formal entry path for "sovereignty-washed" offers.
-
The Competitiveness of the Score (SOV): For tenders where such providers are allowed to compete, the central issue remains. A non-EU provider will score very low on the 25% of the score dedicated to SOV-1 (Strategic) and SOV-2 (Legal) due to its foreign corporate control. The question is whether they can overcome this deficit by scoring near-perfectly on the remaining 75% of the criteria.
In contrast, the EuroStack proposal's precise and mandatory pass-fail gate on jurisdictional control is designed specifically to prevent this scenario from the outset.
It is not clear at this point how US-controlled and European solutions will fare against the EC's framework. Hopefully, the combination of SEAL requirements and SOV weighting will be sufficient to ensure European offers have a distinct advantage, but this remains to be seen. The first major contracts awarded will be the real-world test of the framework's ability to differentiate and deliver on the promise of digital sovereignty.
Conclusion
Both frameworks demonstrate a shared, deeply technical understanding of what constitutes digital sovereignty. They agree on nearly all the what—the importance of legal insulation, customer-held cryptography, operational control by EU personnel, Open Source principles, and local economic value creation.
The remaining, and still critical, divergences are not in the substance of the criteria, but in their application, precision, and scope:
- The Pass/Fail Gate: The philosophical and practical chasm remains. The EC uses a flexible, tender-specific, and vaguely defined SEAL as its entry gate. EuroStack proposes a fixed, precise, and non-negotiable jurisdictional prerequisite for all strategic procurement.
- Prescriptiveness: To earn points, EuroStack's criteria are frequently more quantitative and absolute (e.g., "100%," ">50%," "cryptographically impossible"). The EC's language often uses qualitative assessments ("degree of," "extent of"), allowing for more graduated scoring.
- Scope: The EC includes "Security & Compliance" and "Environmental Sustainability" as distinct sovereignty objectives, which are not present in the EuroStack framework's more narrow geopolitical and technical focus.
This methodological choice brings the issue of "sovereignty-washing" into sharp focus. The central, unanswered question is whether the Commission's two-level system of flexible SEALs and weighted scoring will be robust enough to prevent a structurally non-European provider from winning strategic contracts. The EuroStack model, by design, eliminates this possibility from the outset.