🇪🇺

EU Cloud Sovereignty Framework Assessment

Based on European Commission Cloud Sovereignty Framework v1.2.1 (October 2025)

About This Assessment

This assessment evaluates your organization's cloud sovereignty maturity based on the European Commission's Cloud Sovereignty Framework, which defines measurable criteria across 8 Sovereignty Objectives (SOV).

This assessment is not endorsed by any regulatory authority, and its findings or recommendations do not constitute legal advice. Red Hat bears no legal responsibility or liability for the results or its use.

The 8 Sovereignty Objectives:

Strategic Sovereignty (15%)
Legal & Jurisdictional Sovereignty (10%)
Data & AI Sovereignty (10%)
Operational Sovereignty (15%)
Supply Chain Sovereignty (20%)
Technology Sovereignty (15%)
Security & Compliance Sovereignty (10%)
Environmental Sustainability (5%)

SEAL Levels (Sovereignty Effectiveness Assurance Levels):


  • SEAL-0: No Sovereignty - Under exclusive non-EU control
  • SEAL-1: Jurisdictional Sovereignty - EU law applies but limited enforceability
  • SEAL-2: Data Sovereignty - EU law enforceable, some non-EU dependencies remain
  • SEAL-3: Digital Resilience - Meaningful EU influence, marginal non-EU control
  • SEAL-4: Full Digital Sovereignty - Complete EU control, no critical non-EU dependencies

Assessment Questions

Answer each question with Yes, No, or Don't Know. Each "Yes" answer contributes to your overall sovereignty score.

Strategic Sovereignty

15% of total score

Ensures that decision-making bodies and governance structures are anchored in the EU legal, financial and industrial ecosystem

Contributing Factors:
  • EU authority with protection against control changes
  • Financing from EU funds
  • Investment and job creation within the EU
  • Participation in EU initiatives
  • Resilience to service interruption requests
Is your cloud service provider incorporated and headquartered within the European Union? ⓘ
Does your organization have contractual guarantees that prevent change of control to non-EU entities without approval? ⓘ
Is the majority of your provider's financing sourced from EU-based investors or institutions? ⓘ

Legal & Jurisdictional Sovereignty

10% of total score

Minimizes exposure to foreign legislation (such as US Cloud Act) and ensures enforceability of European rights

Contributing Factors:
  • Applicable law aligned with EU requirements
  • Protection from non-EU legal system application
  • International regulatory compliance
  • EU-based intellectual property location
Do your cloud service contracts explicitly specify EU member state law as the governing jurisdiction? ⓘ
Has your provider certified that they are not subject to foreign laws (e.g., US Cloud Act, FISA) that could compel data disclosure? ⓘ
Are all contractually agreed dispute resolution venues located within the European Union? ⓘ

Data & AI Sovereignty

10% of total score

Ensures customer control over data and AI models, including processing locations and encryption keys

Contributing Factors:
  • Customer control over data and encryption keys
  • Transparency in data access and option of permanent deletion
  • Data storage and processing exclusively within EU borders
  • AI models under EU governance using European technology stacks
Is all of your organizational data (including backups and logs) processed and stored exclusively within EU data centers? ⓘ
Does your organization retain exclusive control of encryption keys with no provider access? ⓘ
Do you have contractual guarantees that your data and AI models will not be used for provider training or profiling without explicit consent? ⓘ

Operational Sovereignty

15% of total score

Ensures practical ability to manage, support and maintain technology independent of foreign control

Contributing Factors:
  • Migration support to other EU vendors
  • Operational expertise from EU personnel
  • Full availability of technical documentation, source code and operational know-how
  • Critical supplier location within EU jurisdiction
Are all administrative and technical support teams for your cloud services located within the European Union? ⓘ
Can your organization independently operate and recover critical systems without relying on non-EU third parties? ⓘ
Do you have documented and tested exit strategies that enable migration from your current provider within EU regulatory timeframes? ⓘ

Supply Chain Sovereignty

20% of total score

Ensures transparency and EU control over critical software components in the supply chain

Contributing Factors:
  • Firmware origin transparency
  • Software development location and legal framework
  • Architecture, packaging, distribution governance
  • Transparency in the supply chain with inspection and audit rights
Do you have full transparency into the supply chain of critical components, including their origin and manufacturing location? ⓘ
Are critical software components in your infrastructure predominantly sourced from EU-based or open-source providers? ⓘ
Has your organization implemented vendor diversity strategies to avoid single points of failure from non-EU suppliers? ⓘ

Technology Sovereignty

15% of total score

Promotes independence through open standards and avoidance of proprietary vendor lock-in

Contributing Factors:
  • Well-documented, non-proprietary APIs or protocols
  • Open-source software availability
  • Architectural documentation
  • Independence in high-performance computing capabilities
Does your cloud infrastructure use open standards and interoperable technologies rather than proprietary platforms? ⓘ
Can your critical workloads be migrated to alternative providers without significant re-engineering? ⓘ
Do you leverage open-source technologies and contribute back to EU-supported open-source projects? ⓘ

Security & Compliance Sovereignty

10% of total score

Ensures security operations and compliance controls are under exclusive EU jurisdiction

Contributing Factors:
  • ISO and ENISA certifications
  • GDPR, NIS, DORA compliance
  • EU-based security operations and incident response
  • EU-compliant reporting of security incidents
  • Patch management and audit support capabilities
Are your Security Operations Centers (SOC) located exclusively within the European Union? ⓘ
Do you have the contractual right to conduct unannounced audits and security assessments of your cloud provider? ⓘ
Are all security logs, audit trails, and compliance evidence stored exclusively in EU jurisdictions under your control? ⓘ

Environmental Sustainability

5% of total score

Ensures long-term autonomy and resilience regarding energy consumption and resource dependencies

Contributing Factors:
  • Energy-efficient infrastructure (PUE optimization)
  • Circular economy practices
  • COâ‚‚ emissions and water consumption tracking
Does your cloud provider source energy from renewable EU-based sources to reduce dependency on external energy supplies? ⓘ
Has your organization evaluated the environmental impact of your cloud services and implemented carbon reduction strategies? ⓘ
Are you aligned with EU environmental regulations and sustainability frameworks (e.g., EU Taxonomy, Green Deal)? ⓘ