Updated juni 27, 2026
Summary: The EU SEAL framework gives procurement officers and CISOs a structured, scored method to verify cloud sovereignty claims against eight measurable objectives. SEAL-2 is the current floor for regulated public-sector buyers, while SEAL-3 and SEAL-4 address the most sensitive data classifications.

The EU Cloud Sovereignty Framework v1.2.1 is a structured scoring methodology developed by the European Commission that translates the abstract concept of cloud sovereignty into 48 verifiable criteria grouped under eight weighted objectives. The result is a SEAL score between 0 and 4 that allows compliance officers, CISOs and procurement teams to compare providers on auditable evidence rather than vendor self-declaration. For any European organisation that processes classified, health, financial or legally privileged data, understanding this framework is now a procurement prerequisite.

The Eight Sovereignty Objectives and How They Produce a SEAL Score

The framework organises sovereignty into eight discrete dimensions, each carrying a defined weight in the final calculation. These dimensions are: legal jurisdiction and applicable law; ownership and control structure; data residency and portability; operational independence from non-EU entities; supply chain transparency; access control and encryption key management; audit and transparency mechanisms; and incident response sovereignty. No single dimension dominates the score; the weighting reflects the Commission’s view that a provider can have impeccable data residency yet still be legally reachable by a foreign government if its ultimate parent is incorporated in a third country.

Each of the 48 criteria maps to one of these eight objectives. Assessors score criteria on a binary or graduated basis, the weighted subtotals aggregate into an overall SEAL score, and an independent conformity assessment body validates the evidence. The scoring methodology deliberately resists self-certification: providers must submit contractual documentation, corporate structure evidence, and technical architecture diagrams to the assessor, not just attestations.

Key point: A provider can achieve strong cybersecurity controls and still score SEAL-0 or SEAL-1 if its parent company is headquartered in a jurisdiction whose laws permit compelled disclosure to government agencies without an EU court order. Legal structure and ownership are scored independently of technical security.

What Each SEAL Level Requires in Practice

SEAL levels are not a linear scale of effort; each level corresponds to a qualitatively different sovereignty posture that has direct legal implications for the purchasing organisation.

SEAL Level Core requirement Typical use case
SEAL-0 No sovereignty claims substantiated Non-sensitive workloads; legacy baseline
SEAL-1 Contractual data residency; no independent audit Low-classification internal tooling
SEAL-2 EU-resident operations, independently assessed; contractual immunity from third-country access; key management controlled by customer or EU entity Regulated public sector minimum; GDPR Article 46 transfers avoided
SEAL-3 All SEAL-2 criteria plus EU-only ownership chain; no non-EU code contributions to critical components; sovereign incident response Health records, financial supervision data, legal proceedings
SEAL-4 Air-gapped or government-operated infrastructure; full source code auditability; national security classification compatibility Intelligence, defence, critical national infrastructure

SEAL-2 is the minimum threshold for regulated public-sector buyers because it is the lowest level that substantively blocks the two most common foreign-access mechanisms: compelled disclosure under the US CLOUD Act (18 U.S.C. § 2523) and surveillance collection under FISA Section 702. Below SEAL-2, a provider cannot contractually or technically guarantee that data is beyond the reach of non-EU government requests, which creates a direct conflict with GDPR Article 44’s prohibition on unlawful third-country transfers and with the NIS-2 Directive’s requirement that operators of essential services maintain control over their information systems.

The Cloud III DPS: How the Commission Applied the Framework at Scale

The European Commission’s Cloud III Dynamic Purchasing System, with a total framework value of approximately €180 million, is the most significant practical application of the SEAL framework to date. The DPS established SEAL score thresholds as mandatory award criteria, not merely desirable attributes, requiring providers to present independently validated evidence before being admitted to the purchasing system.

Among the providers awarded SEAL-3 status under Cloud III DPS are OVHcloud, STACKIT, Scaleway and CleverCloud. Their qualification carries an important signal for regulated buyers outside the Commission: these assessments are the first large-scale independent verifications of SEAL-3 claims, meaning the evidentiary bar that these providers cleared is publicly documented and reproducible in private-sector procurement processes.

The practical lesson for procurement teams is methodological. The Commission did not accept provider-issued compliance reports as sufficient. It required third-party assessment against the 48 criteria, legal opinion on the ownership and jurisdiction analysis, and technical evidence of key management architecture. Regulated organisations in finance (under DORA Article 28), healthcare, and the legal sector can import this same evidentiary standard directly into their own supplier due-diligence frameworks.

Procurement note: DORA Article 28 requires financial entities to assess the concentration risk of their ICT third-party providers and to ensure contractual exit rights. A provider’s SEAL score is directly relevant to both obligations because it determines whether a foreign-jurisdiction access event constitutes a material ICT risk under DORA’s definition.

According to the IBM Cost of a Data Breach Report 2024, the average total cost of a data breach globally reached USD 4.88 million in 2024. For regulated sectors, where breach notification under GDPR Article 33 triggers regulatory scrutiny in addition to direct costs, the cost of choosing a provider below the appropriate SEAL threshold must be weighed against the savings from a lower headline price.

SEAL versus EUCS High: Complementary, Not Interchangeable

The ENISA EUCS (European Cybersecurity Certification Scheme for Cloud Services) and the SEAL framework address overlapping but distinct problems. ENISA EUCS High, the most demanding tier of the EUCS scheme, certifies that a provider meets rigorous cybersecurity controls covering vulnerability management, logging, penetration testing, and resilience. What EUCS High does not directly assess is the legal jurisdiction question: a provider can achieve EUCS High certification while remaining a subsidiary of a US parent subject to CLOUD Act orders.

The SEAL framework’s legal sovereignty and ownership dimensions fill this gap. A complete sovereignty assurance picture for a regulated buyer therefore combines both: EUCS High provides the cybersecurity baseline, while SEAL-2 or above provides the legal and operational independence layer. The European Data Protection Supervisor has been explicit on this point: “Cloud sovereignty is not a marketing label; it is a verifiable legal and technical condition that must be demonstrated through auditable evidence, not vendor assurances.”

ENISA has similarly noted that “the lack of a harmonised sovereignty definition across member states creates significant procurement risk and allows providers to self-certify sovereignty without independent verification.” The SEAL framework directly addresses this by creating a single scoring vocabulary that works across all EU member states.

ENISA’s own Threat Landscape report for 2023 found that 38% of EU public-sector organisations experienced a significant cloud-related security incident that year, underscoring that the cybersecurity and sovereignty questions are practically connected: an organisation that cannot enforce jurisdiction over its cloud provider also cannot fully enforce its incident response rights.

Using the 48 Criteria as a Due-Diligence Instrument

For a compliance officer or CISO evaluating an incumbent non-sovereign provider against a sovereign alternative, the 48 criteria function as a structured gap analysis template. The most operationally significant criteria cluster around three areas where incumbent Big Tech providers consistently underperform.

First, ownership and ultimate beneficial control: criteria in this cluster require mapping the complete corporate structure up to the ultimate parent, identifying any entity incorporated in a country with extraterritorial surveillance or disclosure legislation, and verifying that no such entity has operational access to EU-hosted data. Microsoft’s and Google’s EU operations fail this test at the ownership level regardless of their contractual commitments, because both parent companies remain subject to FISA Section 702 and the CLOUD Act.

Second, encryption key management: SEAL-2 and above require that encryption keys for data at rest and in transit are controlled exclusively by the customer or by an EU-resident key management service with no technical access path for the provider’s parent entity. This criterion directly tests whether a provider’s “bring your own key” offering is genuinely sovereign or merely an operational convenience that the provider can revoke or access under legal compulsion.

Third, operational staff access: the criteria require that all personnel with privileged access to production infrastructure are EU residents subject to EU employment and security law, and that remote access from non-EU locations is technically impossible rather than merely policy-prohibited.

CADA and the Future Legal Status of the SEAL Framework

The Cloud and AI Development Act (CADA), registered as COM(2026)502, proposes to give the SEAL framework’s sovereignty definitions statutory force across the entire single market. Currently, the SEAL framework operates as a procurement instrument: authoritative within Commission procedures and increasingly adopted by national procurement bodies, but not legally binding on private-sector regulated entities.

CADA changes this in two material ways. First, it proposes to embed a harmonised definition of “sovereign cloud service” into EU law, using language closely derived from the SEAL framework’s eight objectives. Second, it creates a mandatory conformity assessment pathway for providers offering services to regulated sectors, effectively making SEAL-equivalent certification a legal requirement rather than a competitive differentiator. Sectoral regulators under NIS-2, DORA and the AI Act would be empowered to reference CADA’s sovereignty definition in their own supervisory decisions.

For procurement teams evaluating providers today, this trajectory means that a provider who cannot demonstrate at least SEAL-2 compliance today is unlikely to meet the mandatory requirements under CADA once it enters into force. Locking into multi-year contracts with non-sovereign providers now creates both a compliance liability and a migration cost that will arrive on a legislatively fixed schedule.

FAQ

What is the EU SEAL cloud sovereignty framework?

The EU Cloud Sovereignty Framework v1.2.1 is a structured assessment methodology developed by the European Commission that scores cloud providers against eight sovereignty objectives. The resulting SEAL score (0–4) allows procurement officers to compare providers on verifiable, independently assessed criteria rather than marketing claims.

Why is SEAL-2 the minimum threshold for regulated public-sector buyers?

SEAL-2 requires demonstrated operational independence from non-EU jurisdictions, contractual guarantees against third-country government access, and data residency enforced at the infrastructure level. Below SEAL-2, providers cannot exclude exposure to instruments such as the US CLOUD Act or FISA Section 702, which conflicts with GDPR Article 44 and the NIS-2 Directive’s requirements for essential service operators.

How does SEAL differ from EUCS High certification?

ENISA EUCS High focuses on cybersecurity controls and resilience but does not directly assess legal jurisdiction, ownership structures or immunity from non-EU government access requests. The SEAL framework explicitly scores legal sovereignty, ownership and operational control as separate weighted dimensions, making the two frameworks complementary rather than interchangeable.

Which providers were awarded SEAL-3 status under Cloud III DPS?

OVHcloud, STACKIT, Scaleway and CleverCloud are among the providers awarded SEAL-3 status under the European Commission’s Cloud III Dynamic Purchasing System. Their qualification confirms that independent assessment validated their sovereignty posture against the 48 criteria defined in the framework.

What will the Cloud and AI Development Act (CADA) change?

CADA, registered as COM(2026)502, proposes to embed a harmonised sovereignty definition directly into EU law, making SEAL-equivalent criteria legally binding across all member states. Once adopted, this removes the current patchwork of national interpretations and gives the SEAL framework statutory rather than merely procedural authority, with sectoral regulators under NIS-2, DORA and the AI Act empowered to enforce it directly.

Frequently asked questions

What is the EU SEAL cloud sovereignty framework?
The EU Cloud Sovereignty Framework v1.2.1 is a structured assessment methodology developed by the European Commission that scores cloud providers against eight sovereignty objectives. The resulting SEAL score (0u20134) allows procurement officers to compare providers on verifiable, independently assessed criteria rather than marketing claims.
Why is SEAL-2 the minimum threshold for regulated public-sector buyers?
SEAL-2 requires demonstrated operational independence from non-EU jurisdictions, contractual guarantees against third-country government access, and data residency enforced at the infrastructure level. Below SEAL-2, providers cannot exclude exposure to instruments such as the US CLOUD Act or FISA Section 702, which is incompatible with the data protection obligations of most regulated public bodies.
How does SEAL differ from EUCS High certification?
ENISA EUCS High focuses primarily on cybersecurity controls and resilience, and does not fully address legal jurisdiction, ownership structures or immunity from non-EU government access requests. The SEAL framework explicitly scores legal sovereignty, ownership, and operational control as separate weighted dimensions, making the two frameworks complementary rather than interchangeable.
Which providers were awarded SEAL-3 status under Cloud III DPS?
OVHcloud, STACKIT, Scaleway, and CleverCloud are among the providers awarded SEAL-3 status under the European Commission's Cloud III Dynamic Purchasing System. Their qualification confirms that independent assessment validated their sovereignty posture against the 48 criteria defined in the framework.
What will the Cloud and AI Development Act (CADA) change?
CADA, registered as COM(2026)502, proposes to embed a harmonised sovereignty definition directly into EU law, making SEAL-equivalent criteria legally binding across all member states. Once adopted, this removes the current patchwork of national interpretations and gives the SEAL framework statutory rather than merely procedural authority.