Updated juli 1, 2026
Summary: The EU Cloud Sovereignty Framework v1.2.1 gives procurement officers a structured 48-criteria scoring grid to distinguish genuine sovereignty from contractual workarounds. For regulated buyers under DORA and NIS-2, understanding the SEAL-2 to SEAL-3 gap is the difference between a compliant shortlist and an audit risk.

The EU Cloud Sovereignty Framework v1.2.1 is a structured procurement instrument developed by the European Commission that evaluates cloud providers across eight sovereignty objectives using 48 discrete scored criteria, producing a Sovereignty Effectiveness Assurance Level (SEAL) rating from SEAL-1 to SEAL-4. For compliance officers, CISOs and procurement leads in regulated sectors, this framework is the most granular tool currently available to distinguish genuine data sovereignty from contractual window-dressing.

The Architecture of the 48 Criteria

The Framework organises its 48 criteria under eight sovereignty objectives, each targeting a distinct risk dimension that a regulated buyer faces when placing sensitive workloads in a third-party cloud environment.

The eight objectives cover: legal jurisdiction and applicable law; data residency and portability; operational transparency and audit rights; technical security and encryption; supply-chain independence; incident response and continuity; personnel security and access controls; and long-term exit and interoperability rights. Each objective contributes a weighted score toward the overall SEAL rating. Providers are assessed on documentary evidence, third-party audits and contractual commitments, not self-declaration alone.

The criteria that carry the most weight in separating SEAL-2 from SEAL-3 sit within the legal jurisdiction and supply-chain independence objectives. Specifically, the Framework asks whether the provider, its parent entities, and its key technology suppliers are subject to any foreign law that permits government-compelled access to data without routing that request through EU mutual legal assistance channels. This is where US-controlled providers encounter a structural ceiling.

Key distinction: SEAL-2 permits contractual sovereignty wrappers, meaning a provider legally subject to foreign jurisdiction may still qualify if contractual and technical controls demonstrably limit exposure. SEAL-3 requires that no such foreign legal obligation exists at the structural level. These are not equivalent levels of protection.

SEAL-2 Versus SEAL-3: Why the Gap Matters for DORA and NIS-2

The difference between SEAL-2 and SEAL-3 is not merely a scoring increment; it is a regulatory risk boundary for organisations subject to the Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) and the NIS-2 Directive (Directive (EU) 2022/2555).

SEAL-2 (Data Sovereignty) confirms that personal and sensitive data is stored and processed within the EU, that data residency is contractually guaranteed, and that a sovereignty wrapper (such as a European-controlled joint venture or a contractual access-denial clause) reduces but does not eliminate foreign jurisdiction exposure. The European Data Protection Board has been explicit that contractual clauses alone cannot neutralise the extraterritorial reach of the CLOUD Act or FISA 702; only structural separation of ownership and operational control can do that.

SEAL-3 (Digital Resilience) requires, in addition to all SEAL-2 conditions, that the provider’s technology stack, operational personnel, and corporate ownership chain are free from entities legally obligated under laws such as the US CLOUD Act (18 U.S.C. § 2713), FISA Section 702, or China’s 2017 Cybersecurity Law. At SEAL-3, a regulator examining the supply chain finds no plausible legal pathway by which a foreign government could compel data access without EU judicial oversight.

Under DORA Article 29, financial entities must assess ICT third-party concentration risk and maintain evidence that systemic dependencies are managed. A SEAL-2 provider under a contractual wrapper still carries a residual, unmitigated legal risk that a competent authority examining the register of ICT third-party providers may classify as an open concentration risk item. SEAL-3 removes that item from the risk register entirely. For hospitals and insurers subject to NIS-2 Article 21 supply-chain security obligations, the same logic applies: the standard of care requires demonstrable control, not contractual intent.

Dimension SEAL-2 (Data Sovereignty) SEAL-3 (Digital Resilience)
Foreign jurisdiction exposure Mitigated by contractual wrapper Absent at structural level
Technology supply-chain origin May include non-EU origin with controls Must be EU-controlled throughout
Ownership and operational control EU-controlled entity permitted with parent disclosure Full EU ownership and control required
DORA concentration risk status Residual risk remains on register Risk item closeable with evidence
NIS-2 Art. 21 supply-chain compliance Partial, requires supplementary controls Fully supportable with audit trail

How the Legal Criteria Exclude CLOUD Act and FISA 702-Subject Providers from SEAL-3

The Framework’s legal and jurisdictional criteria function as hard gates rather than sliding scales. A provider that cannot demonstrate freedom from CLOUD Act or FISA 702 obligations cannot accumulate enough points in the legal jurisdiction objective to reach the SEAL-3 threshold, regardless of how well it performs on technical security criteria.

The CLOUD Act amends the Stored Communications Act to require US-headquartered providers to produce data held anywhere in the world when served with a valid US legal order. No contractual commitment to a European customer overrides this statutory obligation. Similarly, FISA Section 702 authorises the collection of communications of non-US persons by US-incorporated entities without a warrant visible to the data subject. The Framework’s criteria explicitly test for these obligations by examining the legal domicile of the provider, its ultimate parent, and its key sub-processors.

For joint-venture structures such as S3NS (the Thales-Google Cloud joint venture operating in France), the Framework’s assessors must examine whether the French entity holds genuine operational control or whether critical administrative and technical functions remain with Google LLC. S3NS is structured to place Thales as the operational controller of the French entity, which removes the direct CLOUD Act obligation from that entity. However, the underlying technology dependency on Google’s infrastructure means that the supply-chain independence criteria, which ask specifically about the origin and controllability of the technology stack, will reflect residual dependency. This is precisely the scoring gap that separates S3NS-class wrappers from fully European providers such as OVHcloud and STACKIT, both of which are European-owned and operated without equivalent upstream dependencies.

The Commission considers contractual sovereignty wrappers sufficient for SEAL-2 when the wrapper includes: an EU-law-governed data processing agreement with explicit foreign access denial clauses; a technical architecture that prevents the non-EU parent from accessing plaintext data; an independent audit right for the customer or a competent authority; and a designated European entity with legal liability for breaches. These conditions are demanding but achievable, which is why SEAL-2 remains a meaningful procurement floor rather than a participation trophy.

What the April 2026 EUR 180 Million Tender Revealed

The European Commission’s Cloud III Dynamic Purchasing System (Cloud III DPS) procurement, with an estimated value of EUR 180 million announced in April 2026, provided the most detailed public evidence to date of how real providers score under the Framework’s criteria in a competitive setting.

The tender’s published evaluation reports indicated that fully European providers, specifically those without any US or Chinese parent or technology dependency, consistently achieved SEAL-3 scores in the legal and supply-chain objectives. Non-European hyperscalers operating through contractual sovereignty wrappers were evaluated at SEAL-2, confirming that the Framework’s hard gates function as designed. Notably, the Cloud III DPS results showed that the gap in total weighted scores between SEAL-2 and SEAL-3 providers was most pronounced in the supply-chain independence and personnel security objectives, areas where contractual remedies cannot substitute for structural control.

The European Union Agency for Cybersecurity (ENISA) has noted that sovereignty is not a binary feature; it is a spectrum of assurance that must be measured, scored and independently verified before a contract is signed. The Cloud III DPS results operationalise that principle: procurement officers reviewing the published scores have a concrete benchmark against which to compare vendor claims made in private-sector procurement processes.

Benchmarking note: The Cloud III DPS scoring results are public procurement records and provide regulated private-sector buyers with a defensible reference point when challenging vendor sovereignty claims that exceed what was demonstrated in a competitive EU institutional tender.

The average total cost of a data breach reached USD 4.45 million globally in 2023, according to IBM’s annual Cost of a Data Breach Report, while ENISA’s 2023 Threat Landscape report recorded a 37 percent year-on-year increase in ransomware incidents targeting European public administration and healthcare. Against this risk backdrop, the EUR 180 million procurement scale reflects an institutional judgment that sovereign infrastructure is not a premium but a baseline control.

Adapting the Framework for Private-Sector Due Diligence

A regulated private-sector organisation, such as a bank, insurer or hospital, is not required to run a formal public tender governed by EU procurement directives. However, the Framework’s scoring methodology translates directly into an internal vendor due-diligence checklist with minimal adaptation.

The practical approach is to treat the eight sovereignty objectives as sequential screening gates before any weighted scoring begins. A provider that cannot satisfy the legal jurisdiction objective (demonstrating freedom from CLOUD Act, FISA 702 or equivalent foreign obligations at the structural level) does not proceed to weighted evaluation. This pass-or-fail gate eliminates providers that cannot reach SEAL-3 and flags those that can only reach SEAL-2, allowing the procurement team to make an explicit, documented risk-acceptance decision if a SEAL-2 provider is selected.

Once the gates are cleared, the remaining 48 criteria can be weighted according to the organisation’s regulatory context. A hospital prioritising NIS-2 Article 21 compliance will weight the supply-chain and incident response criteria more heavily. A bank managing DORA concentration risk under Article 29 will place greater weight on the portability, exit rights and operational continuity criteria. The resulting score is not merely a vendor ranking; it is a documented risk assessment that satisfies the audit-readiness requirements of both DORA and the GDPR’s accountability principle under Article 5(2).

The European Commission estimated in its 2023 cloud strategy that more than 75 percent of European public-sector cloud spending flows to non-European hyperscalers. For private-sector regulated entities that have followed the same procurement patterns, the Framework provides both the vocabulary and the evidence standard to justify a change of direction to boards, supervisors and external auditors.

Frequently Asked Questions

What is the EU Cloud Sovereignty Framework v1.2.1 and who is it designed for?

It is a structured procurement methodology developed by the European Commission to assess cloud providers across eight sovereignty objectives using 48 scored criteria. It is designed primarily for EU institutions and member-state bodies running formal tenders, but its scoring logic is directly adaptable for regulated private-sector organisations conducting vendor due diligence.

Can a US-headquartered hyperscaler ever reach SEAL-3 under the Framework?

No, not under current US law. SEAL-3 requires that no foreign jurisdiction can compel access to data without going through EU legal channels. The CLOUD Act (18 U.S.C. § 2713) and FISA 702 create extraterritorial access obligations that cannot be contractually waived, meaning any provider legally subject to those statutes is structurally capped at SEAL-2 at best, and only when a verified contractual sovereignty wrapper is in place.

What does the SEAL-2 to SEAL-3 gap mean practically for a bank subject to DORA?

DORA’s concentration risk provisions under Article 29 require financial entities to assess and manage systemic dependency on a single ICT third-party provider. A SEAL-2 provider under a contractual wrapper still carries residual legal risk from foreign jurisdiction, which regulators may classify as an unmitigated concentration risk. SEAL-3, requiring structural operational independence, is the threshold at which that residual risk is removed and audit evidence becomes clean.

How does S3NS score relative to OVHcloud or STACKIT under the Framework’s legal criteria?

S3NS is structured as a French legal entity with Thales as operational controller, which removes direct CLOUD Act exposure from the French entity itself. However, because the underlying technology stack originates from Google LLC, assessors applying criteria on technology independence and supply-chain control will note residual dependency. OVHcloud and STACKIT, both fully European-owned and operated, face no equivalent structural dependency and score higher on the technology-origin and ownership criteria that underpin SEAL-3.

How should a hospital or insurer use the 48 criteria as an internal due-diligence checklist?

The most practical approach is to extract the Framework’s eight sovereignty objectives as mandatory screening gates before scoring begins. Criteria covering legal jurisdiction, ownership structure, and data-residency enforcement should be treated as pass-or-fail prerequisites. Providers that cannot satisfy these do not proceed to weighted scoring. The remaining operational and technical criteria can then be weighted according to the organisation’s own risk profile, giving procurement officers a defensible, audit-ready record of the evaluation.

Frequently asked questions

What is the EU Cloud Sovereignty Framework v1.2.1 and who is it designed for?
It is a structured procurement methodology developed by the European Commission to assess cloud providers across eight sovereignty objectives using 48 scored criteria. It is designed primarily for EU institutions and member-state bodies running formal tenders, but its scoring logic is directly adaptable for regulated private-sector organisations conducting vendor due diligence.
Can a US-headquartered hyperscaler ever reach SEAL-3 under the Framework?
No, not under current US law. SEAL-3 requires that no foreign jurisdiction can compel access to data without going through EU legal channels. The CLOUD Act (18 U.S.C. u00a7 2713) and FISA 702 create extraterritorial access obligations that cannot be contractually waived, meaning any provider legally subject to those statutes is structurally capped at SEAL-2 at best, and only when a verified contractual sovereignty wrapper is in place.
What does the SEAL-2 to SEAL-3 gap mean practically for a bank subject to DORA?
DORA's concentration risk provisions under Article 29 require financial entities to assess and manage systemic dependency on a single ICT third-party provider. A SEAL-2 provider under a contractual wrapper still carries residual legal risk from foreign jurisdiction, which regulators may classify as an unmitigated concentration risk. SEAL-3, requiring structural operational independence, is the threshold at which that residual risk is removed and audit evidence becomes clean.
How does S3NS (the Thales-Google Cloud joint venture) score relative to OVHcloud or STACKIT under the Framework's legal criteria?
S3NS is structured as a French legal entity with Thales as operational controller, which removes direct CLOUD Act exposure from the French entity itself. However, because the underlying technology stack originates from Google LLC, assessors applying the Framework's criteria on technology independence and supply-chain control will note residual dependency. OVHcloud and STACKIT, both fully European-owned and operated, face no equivalent structural dependency and score higher on the technology-origin and ownership criteria that underpin SEAL-3.
How should a hospital or insurer use the 48 criteria as an internal due-diligence checklist?
The most practical approach is to extract the Framework's eight sovereignty objectives as mandatory screening gates before scoring begins. Criteria covering legal jurisdiction, ownership structure, and data-residency enforcement should be treated as pass-or-fail prerequisites; providers that cannot satisfy these do not proceed to weighted scoring. The remaining operational and technical criteria can then be weighted according to the organisation's own risk profile, giving procurement officers a defensible, audit-ready record of the evaluation.