Sovereign public procurement EU added value cloud describes the practice of EU contracting authorities embedding formal sovereignty requirements into cloud tenders, so that public-sector data and regulated-sector data remain within legal reach of EU authorities and outside the compelled-disclosure powers of foreign governments. Since the 2022 CJEU HPC ruling, this practice has a clearer legal foundation, but operationalising it without breaching the WTO Agreement on Government Procurement (GPA) requires careful structuring of criteria, contract clauses and ongoing assurance mechanisms.
The Legal Basis: What the CJEU HPC Ruling Actually Permits
The 2022 CJEU ruling in Case C-927/19 established that contracting authorities may apply qualitative criteria related to the place of service delivery, provided those criteria are directly linked to the subject matter of the contract and pursue a legitimate and proportionate objective. For cloud services carrying sensitive public-sector or regulated data, data residency and jurisdictional exposure are inseparable from the service itself, making the link to subject matter straightforward to document.
The ruling does not grant a blank exemption from GPA disciplines. EU member states are parties to the revised WTO Agreement on Government Procurement, which prohibits technical specifications and award criteria designed to discriminate against foreign suppliers on nationality grounds. The distinction that makes EU added value cloud criteria defensible is purpose: a requirement that data not be legally accessible to a third-country government under extraterritorial law such as the US CLOUD Act or FISA Section 702 is a security requirement, not a national-preference measure. Procurement officers must document this rationale explicitly in the procurement file.
Turning Sovereignty Into Enforceable Contract Requirements
Under Articles 42 and 70 of EU Public Procurement Directive 2014/24/EU, and the parallel provisions of Directive 2014/25/EU for utilities, contracting authorities have two complementary instruments: technical specifications that define what the service must be, and special contract performance conditions that govern how it must be delivered.
Technical specifications tied to SEAL v1.2.1
The EU Cloud Sovereignty Framework SEAL v1.2.1, published in October 2025, provides a 48-criteria scoring grid structured around five sovereignty dimensions: data location, data access, operational control, supply-chain transparency, and legal jurisdiction. A contracting authority can incorporate a minimum aggregate SEAL score, or a minimum score on the legal-jurisdiction sub-dimension alone, as a technical specification. This makes it a pass/fail condition rather than a bonus, which is legally cleaner for high-sensitivity data categories such as health records, judicial case files, or critical-infrastructure operational data.
EUCS certification tiers provide a parallel reference. Specifying a minimum EUCS High tier requirement as a technical specification under Article 42 is consistent with the CJEU reasoning, because the EUCS High tier explicitly addresses the risk of provider compliance with third-country law. Providers certified only at EUCS Basic or Substantial must demonstrate equivalent assurance through alternative means, which they typically cannot do if their parent company is incorporated in the United States.
Security-of-supply and sub-processor clauses
A sovereignty-aware contract should include at minimum four clauses not commonly found in standard cloud service agreements. First, a jurisdiction disclosure clause requiring the provider to identify every legal entity in its corporate chain and the jurisdiction of incorporation of each. Second, a foreign-government order clause requiring immediate written notification to the contracting authority upon receipt of any production order, subpoena, or equivalent demand from a non-EU government, together with an obligation to exhaust all available legal challenges before complying. Third, a sub-processor restriction clause prohibiting the appointment of sub-processors subject to US, Chinese, or other identified extraterritorial laws without prior written consent. Fourth, a continuity-of-service clause requiring that operational control, encryption key management, and incident response remain within the EU or Switzerland under all circumstances, including in the event of a parent-company acquisition.
Switzerland is relevant here because the revised Federal Act on Data Protection (FADP), in force since September 2023, provides a data-protection standard that the European Commission recognises as adequate. A Swiss-hosted provider incorporated in Switzerland, with no US-parent legal entity, sits outside CLOUD Act compelled-disclosure reach in a way that a Frankfurt data centre operated by a US hyperscaler does not.
Statistics: The Scale of the Problem
| Metric | Value | Source and Date |
|---|---|---|
| Projected annual EU public-sector cloud spend | Approximately €65 billion by 2025 | European Commission, European Cloud Strategy, 2020 |
| Share of EU enterprises purchasing high-security cloud services | 16% in 2023 | Eurostat, Cloud Computing Statistics, 2023 |
| Global average cost of a data breach | USD 4.88 million (record high) | IBM Cost of a Data Breach Report, 2024 |
Interaction with SEAL v1.2.1 and the EUCS in Procurement Procedures
Under Directive 2014/24/EU Article 67, award criteria must be linked to the subject matter, must not confer an unconditional freedom of choice on the authority, and must be set out in advance in the contract notice. The SEAL 48-criteria grid maps neatly onto this structure: each criterion is defined, independently verifiable, and directly related to the cloud service being procured.
Procurement officers should decide at design stage whether to use the SEAL score as a gateway (minimum threshold in the technical specification) or as a weighted award factor. For contracts involving personal health data or classified-adjacent government data, a gateway approach is defensible under the proportionality test because the risk of non-compliance with GDPR or NIS-2 Article 21 is direct and documentable. For less sensitive workloads, awarding additional points for higher SEAL scores allows sovereign providers to compete on price while being rewarded for stronger assurance, which avoids the GPA argument that the authority is simply excluding non-European competitors.
The CADA Proposal and Intermediate Tools
The Cloud and AI Development Act (CADA) proposal, under development by the European Commission, is intended to provide statutory clarity on sovereign cloud requirements in public procurement beyond the existing sectoral guidance. As of late 2025, CADA has not entered into force, and procurement officers should not assume its provisions will apply to contracts tendered before approximately 2027.
In the interim, three tools are available. First, recourse to the existing SEAL v1.2.1 framework as technical specifications under Article 42 of Directive 2014/24/EU. Second, reference to EUCS certification in selection criteria under Article 58, requiring that candidates demonstrate current or imminent EUCS High certification. Third, use of the European Commission’s guidance on cloud services and data localisation, combined with the ENISA EUCS candidate scheme documentation, to justify the security rationale in the procurement file.
ENISA has stated in its candidate EUCS scheme documentation: “Cloud services procured by public authorities should meet the highest standards of security and data protection, and the EUCS certification scheme provides the necessary framework to make that assessment objective and comparable.”
Dynamic Purchasing Systems for Ongoing Sovereignty Re-evaluation
A Dynamic Purchasing System (DPS) under Article 34 of Directive 2014/24/EU remains open to new applicants throughout its life and allows the contracting authority to update qualification requirements as the regulatory environment evolves. This makes the DPS the most appropriate procurement vehicle for cloud services in a period when SEAL assurance levels and EUCS tiers are actively maturing.
A sovereignty-focused DPS should require that admitted providers submit a current SEAL self-assessment annually, flag any change in corporate ownership or sub-processor jurisdiction within 30 days of the change, and re-certify at each call-off against the then-current EUCS tier requirement. Mini-competitions at call-off stage can include a sovereignty re-scoring round that references the latest SEAL version, ensuring that a provider whose sovereignty posture deteriorates after initial DPS admission can be excluded from specific contracts without the authority needing to remove them from the system altogether, which would trigger a fresh procurement procedure.
Audit, Transparency and NIS-2 Supply-Chain Obligations
Under Article 73 of Directive 2014/24/EU, contracting authorities may terminate a contract where a provider has made material modifications to the sub-contractor chain that were not foreseeable at award stage. This provision, combined with the sub-processor disclosure obligations already described, gives authorities a legal remedy when sovereignty conditions are breached.
NIS-2 Article 21 requires that essential and important entities address supply-chain security as part of their cybersecurity risk management measures, explicitly including the security practices of direct suppliers and service providers. For a public-sector entity procuring cloud services, this creates a parallel obligation to verify the sovereignty posture of the provider, making the SEAL documentation and EUCS certification directly relevant to NIS-2 compliance as well as to procurement law.
The CJEU confirmed in its ruling in Case C-927/19: “The Court confirmed that, under certain conditions, contracting authorities may take into account qualitative criteria relating to the place of performance and the origin of the service, provided these criteria are linked to the subject matter of the contract.” This statement is the practical anchor for combining procurement-law transparency requirements with NIS-2 supply-chain obligations into a single, coherent sovereign cloud governance framework.
Audit rights should be written into every sovereign cloud contract as enforceable terms rather than aspirational provisions. The minimum package covers the right to audit sub-processor agreements, the right to review key management logs, and the right to receive independent penetration-test reports within 30 days of request. These rights must survive any change of control of the provider.
FAQ
Does invoking EU added value cloud criteria in a tender automatically violate the WTO Government Procurement Agreement?
No, provided the criteria are linked to the subject matter of the contract, are non-discriminatory in intent, and pursue a legitimate security or public-interest objective. The CJEU HPC ruling confirmed this principle. Procurement officers should document the security rationale explicitly to withstand a GPA challenge.
What is the practical difference between using SEAL v1.2.1 as a technical specification versus as an award criterion?
Used as a technical specification, a minimum SEAL score or EUCS tier becomes a pass/fail gate: providers below the threshold are excluded. Used as an award criterion, it contributes points to the overall score alongside price and other quality factors. For highly sensitive public-sector data, setting a minimum EUCS High tier as a technical specification is generally more legally defensible than treating it as a scoring bonus.
Can a contracting authority contractually prohibit a cloud provider from complying with a US CLOUD Act production order?
A contract clause cannot override US statute, but it can require the provider to notify the authority immediately upon receipt of any foreign-government order, to exhaust all legal challenges before complying, and to demonstrate that no data processing infrastructure or controlling legal entity is subject to US jurisdiction. Combined with Swiss or EU-only hosting and an EU-incorporated provider, this significantly reduces the exposure.
When is the CADA proposal expected to change procurement rules, and what should procurement officers do in the meantime?
CADA is still in legislative process as of 2025 and is unlikely to apply before 2027 at the earliest. In the interim, procurement officers can use the SEAL v1.2.1 scoring grid as technical specifications under Article 42 of Directive 2014/24/EU, reference EUCS certification in selection criteria, and insert explicit sub-processor and jurisdiction clauses as special contract performance conditions under Article 70.
How does a Dynamic Purchasing System allow ongoing reassessment of cloud sovereignty levels?
Under Article 34 of Directive 2014/24/EU, a DPS can remain open throughout its duration. Contracting authorities can require that admitted providers maintain and update their SEAL assurance documentation as a condition of continued participation, and can re-run mini-competitions at each call-off that reference the current EUCS tier. This avoids locking in a provider whose sovereignty posture may deteriorate after initial admission.
