SEAL-2, SEAL-3 and the Architecture of the EU’s €180 Million Sovereignty Bet

The European Commission has awarded a framework contract worth up to €180 million to four European cloud providers, covering sovereign cloud services for EU institutions over six years. The winners are Luxembourg’s Post Telecom (with partners OVHcloud and CleverCloud), Germany’s StackIT, France’s Scaleway and a Belgian-French-Luxembourgish consortium led by Proximus alongside S3NS, Clarence and Mistral. Each provider was assessed against the Commission’s new Cloud Sovereignty Framework, a structured methodology that translates sovereignty into measurable procurement criteria. Providers needed to reach at least SEAL-2 to qualify. Three of the four awardees met SEAL-3. For procurement and assurance teams across the EU, this cloud sovereignty framework is no longer a policy paper; it is the reference standard that future tenders will be measured against.

What the Cloud Sovereignty Framework Contains

The cloud sovereignty framework defines eight sovereignty objectives, each assessed independently and weighted in a composite score. SOV-1, Strategic Sovereignty, examines whether the bodies with decisive authority over the provider sit within EU jurisdiction and whether financing, governance and investment are EU-anchored. SOV-2, Legal and Jurisdictional Sovereignty, evaluates exposure to non-EU laws with extraterritorial reach, including the US CLOUD Act. SOV-3 covers Data and AI Sovereignty: where data is stored and processed, who holds encryption keys and the degree of EU control over AI models and data pipelines.

SOV-4, Operational Sovereignty, measures whether EU actors can run, support and evolve the service independently of foreign involvement. SOV-5, Supply Chain Sovereignty, traces the geographic origin and transparency of hardware, firmware and software. SOV-6, Technology Sovereignty, examines openness, interoperability and the absence of proprietary lock-in. SOV-7, Security and Compliance Sovereignty, covers EU certifications, GDPR and NIS2 adherence and whether security operations centres operate under EU jurisdiction. SOV-8, Environmental Sustainability, addresses energy efficiency and raw material dependency. Supply chain sovereignty carries the highest scoring weight at 20%; environmental sustainability the lowest at 5%.

SEAL Levels Explained for Procurement Teams

The cloud sovereignty framework uses five Sovereignty Effectiveness Assurance Levels. Procurement teams should treat these as a classification system for vendor risk, not as marketing badges.

• SEAL-0 (No Sovereignty): the service is entirely controlled by non-EU third parties, governed under non-EU law. Any provider at this level was automatically rejected from the tender.
• SEAL-1 (Jurisdictional Sovereignty): EU law formally applies but with limited practical enforceability; operational control remains with non-EU parties. A provider sits here if EU contracts exist on paper but a foreign parent can still compel access.
• SEAL-2 (Data Sovereignty): EU law is both applicable and enforceable. Non-EU dependencies remain but do not override EU data protection. This was the minimum threshold. A provider fails SEAL-2 if a non-EU authority can compel data access without the customer’s knowledge.
• SEAL-3 (Digital Resilience): EU actors exercise meaningful control. Non-EU involvement is marginal and cannot threaten continuity. Three of the four awardees reached this level. Disqualification occurs if the service cannot survive a withdrawal of non-EU vendor support.
• SEAL-4 (Full Digital Sovereignty): technology and operations sit under complete EU control with zero non-EU dependencies. No awardee reached this level; it would require a fully EU-sourced stack from silicon to application layer.

The Contradiction the Cloud Sovereignty Framework Normalises

The most instructive result in this tender is not the highest-scoring providers. It is the Proximus consortium, which reached SEAL-2 while including S3NS in its bid. S3NS is a joint venture between Thales and Google Cloud. Its technical environment runs on Google Cloud infrastructure, exclusively operated by EU companies under EU jurisdiction.

This tells procurement teams something worth hearing plainly. “Sovereign” in the Commission’s operational definition does not mean exclusion of non-EU technology. It means governance over access, jurisdiction over data and documented insulation from extraterritorial law. The cloud sovereignty framework does not ban hyperscaler components; it requires that the jurisdiction and access story around those components is watertight and auditable.

For organisations that have been delaying cloud decisions while waiting for clarity on what sovereignty means in practice, this tender provides the answer. You can use services built on non-EU technology, provided you can demonstrate and document who controls access and under which legal framework compulsion can occur.

What to Do With This as a Buyer or Supplier

The cloud sovereignty framework is publicly available and the methodology is open. Both sides of the procurement table should be acting on it now.

For Buyers

Update your cloud tender specifications to reference the framework and specify a minimum SEAL level for each sovereignty objective. The full methodology is published and freely available. Apply the same SEAL assessment logic to existing contracts at renewal; if your current provider cannot evidence at least SEAL-2 across the eight objectives, that is a documented risk your board needs to see. Update your vendor master assessment to include the jurisdiction risk categories the framework codifies, particularly SOV-2 (exposure to non-EU law) and SOV-5 (supply chain origin and transparency).

For Suppliers

Map your current offerings against the eight objectives and determine which SEAL level you can evidence today. The gap between your current position and SEAL-2 is the gap your EU public-sector pipeline depends on. Prepare evidence packs addressing each contributing factor in the framework, from ownership structure through to hardware provenance and security operations centre jurisdiction. Prepare a jurisdiction and access narrative that states plainly which non-EU laws could apply, what measures insulate EU customers, and what happens if a non-EU authority issues a compulsion order.

Future Prep’s Cloud Sovereignty Procurement Checklist covers the questions your team should be asking in the next cloud tender. Download it from the Digital Sovereignty resources page and use it as the starting point for your first SEAL-aligned vendor assessment.