Updated juni 24, 2026
Summary: The EU Cloud Sovereignty Framework v1.2.1 translates eight sovereignty objectives into five SEAL assurance levels (SEAL-0 through SEAL-4); regulated buyers in finance, healthcare and government should set SEAL-3 as their minimum eligibility threshold for the Cloud III DPS and equivalent internal assessments.

The Cloud III Dynamic Purchasing System (Cloud III DPS) and the EU Cloud Sovereignty Framework v1.2.1 together form the most operationally detailed procurement methodology the European Commission has produced for sovereign cloud acquisition. For compliance officers, CISOs and data protection officers in regulated sectors, understanding how the SEAL scoring system works, what evidence it demands and where its boundaries lie is now a prerequisite for defensible procurement decisions, not an optional refinement.

From Policy Intent to Measurable Score: The SEAL Architecture

The Cloud Sovereignty Framework v1.2.1 translates eight distinct sovereignty objectives into a five-level assurance ladder, SEAL-0 through SEAL-4, where each level represents a cumulative set of evidenced requirements rather than a self-declared category.

The eight objectives the framework measures are: strategic autonomy, legal protection, operational resilience, environmental accountability, supply-chain transparency, technological openness, security assurance and EU-law compliance. No single objective dominates the score; the SEAL level a provider reaches is determined by the lowest-scoring objective across all eight dimensions. A provider that achieves every criterion in seven objectives but fails the legal protection test cannot claim SEAL-3, regardless of its technical sophistication. This floor-based aggregation is intentional: it prevents providers from compensating weak legal positions with strong security certifications.

SEAL-0 indicates no verified sovereignty characteristics. SEAL-1 covers basic transparency requirements, including disclosure of ownership structure and data residency. SEAL-2 corresponds to operational independence, meaning the provider can demonstrate that its day-to-day operations do not depend on decisions made outside European jurisdiction. SEAL-3, labelled Digital Resilience, requires verifiable legal isolation from non-EU law enforcement access mechanisms, end-to-end encryption with customer-controlled keys, and supply-chain documentation for all software components. SEAL-4 is reserved for environments handling data equivalent to EU-RESTRICTED classification, and adds requirements for air-gapped or dedicated infrastructure and formal security accreditation under national or EU frameworks.

Key threshold: For public sector bodies, financial institutions subject to DORA, healthcare organisations under NIS-2 and legal services firms processing privileged client data, SEAL-3 is the appropriate minimum eligibility bar. Setting the bar at SEAL-2 leaves material legal exposure because SEAL-2 does not require demonstrated legal isolation from instruments such as the US CLOUD Act or FISA 702.

What the April 2026 Cloud III DPS Tender Actually Required at SEAL-3

The April 2026 Cloud III DPS tender operationalised SEAL-3 through a specific evidence submission package that providers were required to assemble before evaluation, not during contract performance.

At the legal protection objective, providers were required to submit: a legal opinion from an independent counsel confirming that no provision of a foreign surveillance law (explicitly naming the US CLOUD Act, FISA 702 and equivalent instruments from third countries) created an obligation on the provider or any of its group companies to disclose EU customer data without prior EU judicial authorisation. A letter from an in-house legal team was not accepted as a substitute.

At the security objective, providers needed to present either an ISO 27001 certificate covering the specific service scope, a BSI C5 Type 2 attestation, or an equivalent national certification recognised by ENISA. Encryption key management documentation had to demonstrate that cryptographic keys were generated, stored and rotated exclusively within EU-controlled hardware security modules.

At the supply-chain transparency objective, the tender required a software bill of materials (SBOM) for all components used in the contracted service, with explicit identification of any components originating from vendors headquartered or incorporated in non-EU jurisdictions.

Swiss-hosted providers faced a specific evaluation path under these criteria. Switzerland’s revised Federal Act on Data Protection (revFADP), in force since September 2023, is recognised by the European Commission as providing an adequate level of data protection. Under the legal protection objective, a Swiss-domiciled provider with no US parent company and no contractual obligation to a US-incorporated entity satisfies the foreign surveillance law test in a structurally cleaner way than many EU-domiciled providers that are subsidiaries of US corporations. The FDPIC (Federal Data Protection and Information Commissioner) has confirmed that Swiss law does not contain a CLOUD Act-equivalent mechanism compelling domestic providers to hand over data held abroad to foreign authorities.

The Proximus/S3NS Case and the Limits of EU Operational Wrappers

The Proximus/S3NS arrangement, in which the Belgian telecommunications operator Proximus partnered with S3NS (a Google Cloud subsidiary registered in France) to deliver a “sovereign” cloud offering, illustrates a structural tension the SEAL framework was explicitly designed to resolve.

Under the framework’s supply-chain transparency and technological openness objectives, the origin of the underlying technology stack is a scored criterion, not merely a disclosure item. An offering built on Google Cloud infrastructure, even when operated by a European legal entity, retains dependencies on software, updates and cryptographic components whose lineage traces to a US-incorporated parent. The SBOM requirement makes these dependencies visible and therefore scoreable.

The implication for procurement officers is direct: a provider cannot achieve SEAL-3 purely by inserting a European operating company between the buyer and the underlying hyperscaler platform. The framework’s floor-based aggregation means that a weak score on technological openness or supply-chain transparency will cap the overall SEAL level regardless of the legal wrapper’s quality. Providers such as OVHcloud, STACKIT, Scaleway and Post Telecom, which operate infrastructure built on open-source or European-origin technology stacks, are structurally better positioned to achieve SEAL-3 without remediation across these specific objectives.

Sovereignty-washing risk: Buyers should require providers to submit the SBOM and the independent legal opinion before shortlisting, not as a post-award condition. Marketing materials describing a service as “sovereign” carry no weight in a SEAL assessment; only the documented evidence package does.

Which Sovereignty Objectives Favour On-Premises and Swiss-Hosted Infrastructure

Not all eight SEAL objectives are equally challenging for different infrastructure models. The table below maps the objectives to the infrastructure types that most readily satisfy them.

SEAL Sovereignty Objective On-Premises (Customer-Controlled) Swiss-Hosted (Sovereign Provider) EU-Domiciled Hyperscaler Subsidiary
Legal protection from foreign surveillance law Strongest: no third-party legal exposure Strong: revFADP, no CLOUD Act equivalent Weak if US parent exists
Operational resilience Dependent on internal capability Strong if SLA and redundancy documented Typically strong
Supply-chain transparency Full control and visibility Strong if open-source stack Weak if proprietary US-origin components
Technological openness Strong with open-source deployment Strong with open-source stack Typically weak
EU-law compliance (GDPR, NIS-2, DORA) Full direct control Strong via adequacy decision Complex if group transfers exist
Strategic autonomy Maximum High Low to medium

Conducting a SEAL-Equivalent Assessment Outside the Cloud III DPS

Many regulated organisations, particularly at the national and regional level, will procure cloud or hosting services outside the Cloud III DPS process entirely. The SEAL methodology remains the most rigorous publicly available reference standard and can be applied as an internal assessment tool.

A compliance officer or CISO conducting such an assessment should begin by mapping each of the eight sovereignty objectives to documented evidence held by the candidate provider. The evidence hierarchy mirrors the Cloud III DPS requirements: independent legal opinions outrank in-house statements; third-party attestations (ISO 27001, BSI C5, SOC 2 Type II) outrank self-assessments; SBOMs outrank vendor-provided component lists without independent verification.

The assessment document should record the evidence reviewed, the scoring rationale for each objective, the resulting SEAL-equivalent level and any gaps identified. It should be version-controlled, signed by the responsible officer and scheduled for annual review or immediate review upon any change in the provider’s ownership structure, technology stack or the legal landscape of the provider’s jurisdiction. This document becomes a primary artefact in any NIS-2 Article 21 or DORA Article 28 supervisory examination.

According to the European Data Protection Supervisor: “Sovereignty is not a marketing label; it is a verifiable set of legal, technical and operational conditions that must be evidenced, not asserted.” This principle should anchor every internal assessment methodology, regardless of whether the Cloud III DPS formally applies.

Anticipating Post-April 2026 Revisions to the Framework

The Commission reference COM(2026) 502 CADA signals that a formal lessons-learned review of the Cloud Sovereignty Framework is underway following the April 2026 tender cycle. Regulated buyers should prepare for revisions in three areas.

First, post-quantum cryptography readiness is expected to become a scored sub-criterion under the security objective rather than a recommended practice. NIST finalised its first post-quantum cryptographic standards in 2024, and the Commission has indicated that services handling data with a confidentiality horizon beyond 2030 should demonstrate a documented migration roadmap to post-quantum algorithms. Buyers entering multi-year contracts in 2026 or 2027 should include contractual obligations on post-quantum readiness to avoid renegotiation costs later.

Second, the treatment of hyperscaler-adjacent offerings is likely to become more prescriptive. The Proximus/S3NS case generated significant commentary during the tender evaluation period, and the Commission’s DIGIT directorate has signalled that future guidance will provide clearer scoring rules for services where the operating entity is European but the technology origin is not.

Third, alignment with the EU Classified Information framework may raise the SEAL-4 threshold or introduce a SEAL-4+ sub-level for national security workloads, reflecting the distinct accreditation requirements that apply when EU-RESTRICTED or higher classification is involved.

The European Commission Directorate-General for Informatics (DIGIT) has stated that “the Cloud III framework is designed to ensure that contracting authorities can distinguish genuine sovereignty from sovereignty-washing by requiring documented evidence at each SEAL level.” Buyers should monitor DIGIT and ENISA publications throughout 2026 and 2027 to incorporate updated criteria into their supplier qualification processes before those criteria become contractually mandatory.

Three statistics frame the urgency of getting sovereign procurement methodology right. The IBM Cost of a Data Breach Report 2024 recorded the average total cost of a data breach at USD 4.88 million, the highest figure in the report’s history. ENISA’s Threat Landscape 2023 reported that ransomware accounted for more than 50 percent of all significant cyber incidents affecting EU critical infrastructure sectors. And the European Commission’s 2023 Cloud Market Study found that three hyperscalers, Amazon Web Services, Microsoft Azure and Google Cloud, together hold over 65 percent of European public cloud infrastructure revenue, a concentration that the Cloud III DPS and SEAL methodology are specifically designed to counterbalance through evidence-based procurement discipline.

FAQ

What is the minimum SEAL level a regulated buyer should require in a Cloud III DPS procurement?

For public sector, finance, healthcare and legal organisations handling sensitive or personal data, SEAL-3 (Digital Resilience) is the recommended minimum. SEAL-4 applies where there is a national security dimension or data sensitivity equivalent to EU-RESTRICTED. SEAL-2 is acceptable only for non-sensitive administrative workloads where legal isolation from foreign surveillance law is not a material risk.

Does Swiss hosting satisfy the SEAL framework’s legal sovereignty objective despite Switzerland not being an EU member state?

Switzerland’s revFADP, in force since September 2023, is recognised by the European Commission as providing adequate data protection. Under SEAL-3 criteria, the decisive legal test is whether foreign surveillance instruments such as the US CLOUD Act or FISA 702 can compel access to data. Swiss-domiciled providers with no US ownership chain satisfy this test more cleanly than many EU-domiciled but US-owned providers, and the FDPIC has confirmed that Swiss law contains no CLOUD Act-equivalent extraterritorial access mechanism.

What does the Proximus/S3NS award reveal about how the SEAL framework handles hyperscaler-adjacent offerings?

The Proximus/S3NS case demonstrates that inserting a European operating company between the buyer and a US-origin hyperscaler platform does not automatically achieve SEAL-3. The framework’s supply-chain transparency and technological openness objectives score the origin of the underlying technology stack, and its floor-based aggregation method means a weak score on either objective caps the overall SEAL level regardless of the legal wrapper’s quality.

How can a CISO document a SEAL-equivalent assessment when the Cloud III DPS process does not apply?

The CISO should map provider controls against all eight sovereignty objectives using the EU Cloud Sovereignty Framework v1.2.1 as the reference rubric. The assessment should be supported by contractual evidence, third-party audit attestations and an independently verified SBOM. The resulting document should be version-controlled, signed by the responsible officer and reviewed annually or after any material change to the provider’s ownership, technology or jurisdiction.

What revisions to the Cloud Sovereignty Framework should buyers expect following the April 2026 Cloud III DPS tender?

Based on COM(2026) 502 CADA and Commission signals, buyers should anticipate: post-quantum cryptography readiness as a scored sub-criterion under the security objective; more prescriptive scoring rules for hyperscaler-adjacent offerings following the Proximus/S3NS debate; and potential SEAL-4 threshold adjustments to align with the EU Classified Information framework. Buyers entering long-term contracts should include post-quantum readiness obligations now to avoid renegotiation exposure when the revised framework is published.

Frequently asked questions

What is the minimum SEAL level a regulated buyer should require in a Cloud III DPS procurement?
For public sector, finance, healthcare and legal organisations handling sensitive or classified data, SEAL-3 (Digital Resilience) is the recommended minimum. SEAL-4 applies where there is a national security dimension or where data sensitivity is equivalent to EU-RESTRICTED. SEAL-2 is acceptable only for non-sensitive administrative workloads.
Does Swiss hosting satisfy the SEAL framework's legal sovereignty objective despite Switzerland not being an EU member state?
Switzerland's revised Federal Act on Data Protection (revFADP), in force since September 2023, has been recognised by the European Commission as providing an adequate level of protection. Under SEAL-3 criteria, the key legal test is whether foreign jurisdictions such as the US CLOUD Act or FISA 702 can compel access to data. Swiss-domiciled providers with no US ownership chain or US-incorporated parent satisfy this test in a way that many EU-domiciled but US-owned providers do not.
What does the Proximus/S3NS award reveal about how the SEAL framework handles hyperscaler-adjacent offerings?
The Proximus/S3NS arrangement, in which a European operator runs Google-origin infrastructure under a separate legal wrapper, illustrates a known SEAL edge case. The framework's supply-chain transparency objective requires disclosure of all underlying technology origins and any residual contractual links to non-European parent entities. An offering built on US-origin hyperscaler technology does not automatically achieve SEAL-3 merely because the operating company is EU-domiciled; the underlying code, key management and update pipeline must also be assessed.
How can a CISO document a SEAL-equivalent assessment when the Cloud III DPS process does not apply?
A CISO should map the provider's documented controls against each of the eight SEAL sovereignty objectives using the scoring rubric in the EU Cloud Sovereignty Framework v1.2.1 as a reference template. The assessment should be supported by contractual evidence (data processing agreements, jurisdiction clauses), technical evidence (encryption key management, data residency logs) and audit evidence (ISO 27001, SOC 2 Type II, or BSI C5 attestations). The resulting document should be version-controlled and reviewed at least annually or after any significant change to the provider's ownership or technology stack.
What revisions to the Cloud Sovereignty Framework should buyers expect following the April 2026 Cloud III DPS tender?
Based on the Commission's stated lessons-learned process and the reference to COM(2026) 502 CADA, buyers should anticipate clarifications on the treatment of post-quantum cryptography readiness as a scored sub-criterion under the security objective, more prescriptive guidance on supply-chain transparency declarations for hyperscaler-adjacent offerings, and potential adjustments to the SEAL-4 threshold to align with the EU Classified Information framework. Buyers should monitor DIGIT publications and ENISA guidance updates throughout 2026 and 2027.