How Sovereign Is Your Cloud? The European Commission's SEAL Framework
Server location is just one of the factors that determine the digital sovereignty of a cloud service. The European Commission has introduced SEAL levels to measure — objectively — how effective that sovereignty actually is.
The servers are in Europe. But are your data really protected?
This question comes up often in cloud compliance conversations. The answer, almost always, is: it depends. The physical location of servers is just one of the factors that determine the digital sovereignty of a cloud service — and often not the most important one.
The European Commission has brought clarity to this ambiguity with a document published in October 2025: the Cloud Sovereignty Framework (version 1.2.1), produced by DG Digital Services. The framework introduces a precise measurement tool: the SEAL — Sovereignty Effectiveness Assurance Levels.
The Five SEAL Levels
SEAL is an ordinal scale from 0 to 4 that measures how effective the digital sovereignty of a cloud service actually is:
SEAL-0 — No Sovereignty
Technology, operations, and corporate control are entirely in the hands of non-EU parties, under non-European jurisdictions. There is no meaningful protection for data.
SEAL-1 — Jurisdictional Sovereignty (Formal)
EU law formally applies, but with limited practical enforceability. The provider remains under exclusive control of non-EU third parties. The typical case: a server physically located in Ireland, operated by a US company. The US CLOUD Act and FISA 702 still apply — the provider may be compelled to hand over data to US authorities regardless of where it physically resides.
SEAL-2 — Data Sovereignty
EU law is applicable and enforceable, but material dependencies on non-EU parties remain. The provider is indirectly controlled by non-European third parties. Many "sovereign cloud" offerings from major hyperscalers fall here — AWS EU Sovereign Cloud, Azure EU Data Boundary, joint ventures like Bleu or Delos: formally European structures, but with structural dependencies on US vendors.
SEAL-3 — Digital Resilience
EU law is fully applicable and non-EU dependencies are marginal. European actors exercise meaningful — though not yet complete — influence over technology and operations.
SEAL-4 — Full Digital Sovereignty
Technology and operations are entirely under EU control, subject only to EU law, with no critical dependencies on non-EU parties. The cloud equivalent of a fully European infrastructure across hardware, software, operations, and governance.
Not an Average: Eight Independent Dimensions
What makes the SEAL framework practically useful — and demanding — is that the levels apply not to the provider as a whole, but separately across eight Sovereignty Objectives (SOVs):
| # | Objective | Weight |
|---|---|---|
| SOV-1 | Strategic Sovereignty | 15% |
| SOV-2 | Legal & Jurisdictional Sovereignty | 10% |
| SOV-3 | Data & AI Sovereignty | 10% |
| SOV-4 | Operational Sovereignty | 15% |
| SOV-5 | Supply Chain Sovereignty | 20% |
| SOV-6 | Technology Sovereignty | 15% |
| SOV-7 | Security & Compliance Sovereignty | 10% |
| SOV-8 | Environmental Sustainability | 5% |
SOV-1 Strategic: who exercises effective control over the company? Is the board EU-based? Are there golden share mechanisms or change-of-control protections? Does financing come from European sources?
SOV-2 Legal & Jurisdictional: is the provider exposed to the US CLOUD Act or China's Cybersecurity Law? Where is intellectual property registered? Are there channels through which non-EU authorities could compel access to systems or data?
SOV-3 Data & AI: does the customer have exclusive cryptographic control over their data? Are AI models developed, trained, and governed within the EU? Is processing strictly confined to European jurisdictions with no fallback to third-country infrastructure?
SOV-4 Operational: are operators managing the service exclusively EU-based? Is source code and technical documentation available to enable long-term operational autonomy?
SOV-5 Supply Chain: where are chips and physical servers manufactured? What is the jurisdiction governing firmware? Who develops and maintains the base software stack? This objective carries 20% weight — the highest of all SOVs — and represents the most critical bottleneck for most providers. A European hypervisor running on Nvidia processors or TSMC chips with non-EU firmware already falls under dependencies that lower the SOV-5 score.
SOV-6 Technology: are APIs open and standardized? Is software available under auditable open-source licenses? Does the provider rely on high-performance computing ecosystems (GPUs, accelerators) controlled by non-EU parties?
SOV-7 Security & Compliance: does the SOC operate exclusively under EU jurisdiction? Are certifications (ISO 27001, ENISA schemes) independently verifiable? Can the customer conduct independent audits with full access?
SOV-8 Environmental: what are the PUE values of the infrastructure? Is energy sourced from renewables? Are circular economy practices in place for hardware lifecycle management?
SEAL and Sovereignty Score: Two Different Tools
The framework distinguishes two complementary evaluation mechanisms:
SEAL is a threshold (pass/fail). The tender specification sets a minimum required level for each SOV. If a provider fails to meet that threshold on even one objective, it is excluded — regardless of performance on the others. It is not an average. A SEAL-1 on supply chain cannot be offset by a SEAL-4 on security.
The Sovereignty Score is a ranking. Among providers that have passed all thresholds, the framework computes an overall score using the weights in the table above. The Sovereignty Score contributes to the award criterion — it differentiates who wins among the qualified.
The formula is straightforward: for each SOV, the ratio of achieved score to maximum score is multiplied by its weight. The sum gives the final Sovereignty Score.
The Framework Is Already Operational
The Cloud Sovereignty Framework is not a consultation paper or a future roadmap. In October 2025, the European Commission applied it to the Sovereign Cloud Tender (SCT): a €180 million procurement over six years, open to up to four operators, covering cloud services for EU institutions.
The SCT operates within the Cloud III Dynamic Purchasing System — the €1.2 billion mechanism that qualifies cloud providers for all EU institutional procurement. Providers wishing to enter this market must register with Cloud III DPS, currently open until January 2028.
This is not a pilot. It is the new operational standard for European cloud procurement.
The Cascade Effect: Why This Matters for Private Companies
SEAL was designed as a tool for European public procurement. But its effects extend — through contractual logic — well beyond the Commission.
The mechanism is familiar to anyone working with ISO 27001 (clause 8.1 on supplier relationships) or NIS2 (Article 21 on supply chain risk management). The novelty is an added dimension: not just technical security, but legal sovereignty.
In practice: a cloud provider that wants to maintain its SEAL qualification must impose equivalent requirements on its subcontractors. The data centre hosting the infrastructure must document SOV-5 (hardware provenance) and SOV-4 (EU-only operations). The managed security provider must document SOV-7 (jurisdictional coverage, audit rights). The firmware or chip vendor enters the SOV-5 equation — and if it is non-EU, it lowers the score of the entire chain.
Companies that cannot document their position are excluded from the supply chain. Not because they are insecure or unreliable — but because they cannot be verified according to the framework's criteria.
This creates a new market dynamic. Organisations that know where they stand in the SEAL framework — objective by objective — and can demonstrate it with evidence gain a concrete competitive advantage. Not only in direct public tenders, but in any supply chain that includes a qualified cloud provider.
Where Does Your Organisation Stand?
The question to ask your cloud provider is no longer "are the servers in Europe?" — but "what SEAL level are you at, objective by objective, and what evidence supports it?"
And the question for your own organisation — if you are part of the European cloud supply chain — is: "can we document our SEAL position on the SOVs relevant to our role?"
Do you know where your organisation stands in the SEAL framework?
Tomato Blue guides organisations through the initial assessment — understanding where you stand today against the eight Sovereignty Objectives — and producing the documentation needed to demonstrate it to a contracting authority or supply chain partner.
Request a SEAL Assessment →