Commission advances cloud sovereignty through strategic procurement

The tender was launched last October, as part of Commission's efforts to strengthen the digital sovereignty posture of the Union entities. An additional goal of the tender was to encourage the market to offer sovereign digital solutions that comply with EU laws and values.

The awarded providers

The Commission awarded four contracts to ensure diversification and resilience, avoiding potential lock-in by a single provider.

The awarded providers are:

• A Luxembourgish-French partnership led by Post Telecom with OVHCloud and CleverCloud
• The German company StackIT (Schwarz Group)
• The French company Scaleway (Iliad Group)
• A Belgian-French-Luxembourgish partnership led by Proximus, that uses services from S3NS (a joint venture between Thales and Google Cloud), Clarence and Mistral

How were the providers selected?

To assess the sovereignty of the providers, the Commission developed the Cloud Sovereignty Frameworkthat translated digital sovereignty into objective, measurable procurement criteria. The framework measures sovereignty across eight concrete objectives - from strategic, legal, operational, and environmental considerations, to supply chain transparency, technological openness, security, and compliance with EU laws. It introduces Sovereignty Effectiveness Assurance Levels (SEAL) that go from SEAL-0, which indicates that providers demonstrated complete lack of sovereignty, to SEAL-4, which requires a full EU supply chain, from chips to software.

For the providers to be considered eligible, they needed to reach SEAL-2 level - a Data Sovereignty level. This means that they abide by the EU laws and regulations without requiring additional technical measures by the customer to protect its data. Most of the awarded providers reached SEAL-3 - Digital Resilience level - that implies that their service, technology or operations are immune from supply chain disruption from non-EU third parties.

State-of-the-art European technology

Post Telecom, together with its partners CleverCloud and OVHcloud, StackIT and Scaleway, which all develop their own technology, reached SEAL-3 level, while Proximus/S3NS reached SEAL-2. This means that the awarded providers mostly use European technologies and cannot be blocked by a non-EU third party. In addition, Proximus leverages capacities of partners S3NS, Clarence and Mistral from a technical environment based on Google Cloud technology, exclusively operated by EU companies.

While sovereignty was an important factor, the selected providers had to demonstrate that they can provide reliable, state-of-the-art technology and services, with a strong focus on fully managed services (PaaS), developer experience and automation. All awarded providers deliver a high level of technical quality for that scope, showing that EU providers are closing the gap. All awarded providers also achieve strong security ratings, demonstrating an excellent coverage in terms of security certifications.

Digital sovereignty milestone

By successfully introducing sovereignty in its cloud procurement, the Commission leads by example in advancing Europe's digital sovereignty, setting a benchmark for secure, compliant, and values-based cloud adoption across the public sector. The success of the tender highlights the high quality of European providers, demonstrating their ability to meet the Commission's strict criteria. It also shows that even non-European technologies, when operated within a strict and appropriate framework, can meet the minimum level of sovereignty required.

Before the Sovereign Cloud Framework was developed, it was not possible to measure digital sovereignty. This made it difficult to introduce it as a requirement in procurement procedures. The Framework has now provided a clear and standardised method to assess cloud services, moving away from abstract principles to concrete sovereignty metrics. It gives a clear framework to companies on what they should focus on.

Next steps

The Commission is applying the developed sovereignty criteria to assess and enhance sovereignty across the digital services that it provides to its departments and other Union entities.

The Commission will also publish an updated version of the Sovereign Cloud Framework based on lessons learned from this tender. All organisations wishing to adopt the Commission's approach are welcome to use it.

For more information

Cloud Sovereignty Framework