Version 1.2.1 (October 2025) defines precise requirements for how procurement bodies evaluate cloud providers along eight sovereignty objectives. It serves as a minimum requirement via SEAL levels and as an award criterion via a weighted score. The approach combines concrete control questions with evidence requirements and a unified evaluation matrix – developed in the context of CIGREF Trusted Cloud, Gaia-X, NIS2, DORA and national strategies like “Cloud de Confiance”.
Eight measurable dimensions structure digital sovereignty – from strategic independence to sustainable operational capability.
Structural anchoring in the EU
Legal protection against extraterritorial access
Technical control over data and AI
Vendor-independent operation
Resilient, traceable supply chains
Openness and interoperability
EU-based security operations
Sustainable, resilient operational capability
Each objective is measured via Contributing Factors. Weaknesses in individual factors can significantly lower the overall level of an objective.
The framework defines five tiers as a common “currency” for minimum levels per sovereignty objective. Procurers define minimum SEAL per SOV objective; non-compliance leads to bid rejection.
Exclusive non-EU control
Formal EU jurisdiction
Enforceable EU law, with dependencies
Substantial EU control
Complete EU control
In addition to the SEAL minimum level, a weighted total score is calculated. This multiplies the points achieved per objective by a target weighting and sums across all eight sovereignty objectives – for nuanced differentiation among multiple valid offers.
Total Score = Σ (Achieved Points / Max Points) × Weighting across all 8 objectives. Example: For SOV-5, a provider achieves 80 of 100 points → (80/100) × 20% = 16% contribution to total score. The sum across all objectives yields the final sovereignty score (0-100%).
SOV-1 (15%), SOV-2 (10%), SOV-3 (10%), SOV-4 (15%), SOV-5 (20%), SOV-6 (15%), SOV-7 (10%), SOV-8 (5%). Higher weighting for supply chain, operations and technology; security/compliance considered already well secured.
Procurers require concrete evidence: contracts, SOC runbooks, key management architecture, data flow diagrams, SBOM/supply chain transparency, audit reports, proofs of EU locations/teams. Public documentation is included.
Each objective is evaluated against specific factors – e.g. for SOV-3: BYOK, AI auditability, EU data localization; for SOV-4: exit capability, EU support, complete documentation/source. Material weaknesses lower the SEAL level.
The framework is designed as a practical tool for public procurement. It combines minimum requirements (pass/fail via SEAL) with nuanced differentiation (award score) – and consistently requires verifiable evidence rather than mere declarations of intent.
Procurers set a minimum SEAL level for each of the eight SOV objectives – e.g. SEAL-3 for SOV-4/6/7 (operations/technology/security), SEAL-2 for SOV-2/3 (legal/data). Offers that don’t meet a minimum SEAL are excluded.
Bidders must provide hard evidence: contracts with court venue, SOC runbooks, key management architecture, data flow diagrams, SBOMs, ISO scopes, audit reports, proofs of EU locations/teams. Public documentation is included and verified.
For multiple valid offers, the weighted sovereignty score is applied: Per SOV objective, achieved points (relative to maximum) are multiplied by target weighting and summed. The score enables nuanced ranking beyond “yes/no”.
The framework provides concrete control questions – e.g. “Where are decision-making bodies located?”, “What key management for customer data?”, “Are there non-EU sub-suppliers?”. These questions form the common thread for submission and evaluation.
The framework shifts focus from mere certification to demonstrable independence, control and exit capability – technically, organizationally, legally. “Sovereign-washing” without real technical/organizational decoupling will likely not achieve SEAL-4.
European providers can directly monetize strengths in openness (standards, open source), EU-based operations, supply chain transparency and data sovereignty – as a measurable advantage in the award score.
Verifiable properties: EU-based operations/support/logging (SOV-7), BYOK/HSM and EU data localization (SOV-3), standardized, portable architectures (SOV-4/6), traceable supply chains (SOV-5), governance protection (SOV-1/2).
“Sovereignty labels” without substantial technical or organizational shielding will likely achieve at most SEAL-2 in the framework – formal jurisdiction, but material dependencies.
To achieve SEAL-4 (Full Digital Sovereignty) across all eight objectives, concrete technical and organizational measures are required. These go far beyond classic ISO certifications.
BYOK/BYOHSM with complete customer control
Standardized exit runbooks
Operational documentation
Software Bill of Materials
Strict EU localization without fallbacks
SOC/NOC/Support in the EU
Our Managed Services and our Software Delivery Platform systematically fulfill the framework requirements – designed from the ground up for real digital sovereignty of European organizations.
Fully EU-based organization
German and EU jurisdiction
Complete data control
Vendor-independent and exit-capable
Transparent, EU-based supply chains
100% Open Source, standards-based
EU-based security operations
Sustainable data centers
Complete digital sovereignty
The Cloud Sovereignty Framework is embedded in the comprehensive EU digital/cybersecurity ecosystem. It integrates with NIS2, DORA, CRA, Data Act, GDPR and other EU regulations.
Sovereignty as resilience factor
NIS-2 requires BCP/DR and supply chain management for critical infrastructures. The framework evaluates independence and control – directly relevant for NIS-2 supply chain risks and resilience of critical infrastructures. EU-based, sovereign stacks reduce jurisdictional and concentration risks.
Digital sovereignty as risk mitigator
DORA requires ICT third-party risk management including exit capability. The framework evaluates exit capability, control and independence – factors that directly address DORA third-party risks. EU-based, sovereign ICT stacks reduce jurisdictional and concentration risks.
Secure, sovereign products
CRA requires security across product lifecycle (Security by Design, SBOM, vulnerability management). The framework evaluates technology sovereignty (SOV-6): open standards, open source, transparency. Together: secure EU products with open standards, transparency, exit capability – without lock-in.
Portability and lock-in prevention
The Data Act requires technical/contractual measures against vendor lock-in – directly relevant for framework evaluation of operational sovereignty (SOV-4). Interoperability and standardized interfaces become the regulatory standard. Open standards, exit strategies = maximum control.
Data protection as sovereignty enabler
GDPR requires data protection, security (Art. 32), protection for third-country transfers (Chapter V). The framework evaluates data/AI sovereignty (SOV-3): EU data localization, customer key sovereignty, exit capability. EU-only stacks with BYOK = GDPR-native.
European predecessors & initiatives
EU-wide harmonization
Comprehensive compliance approach
How ayedo systematically addresses Cloud Sovereignty Framework, NIS-2, DORA, CRA, Data Act, GDPR, ISO 27001 and other standards. Certifications, processes, technical measures and audit readiness – find our complete compliance roadmap here.
The Cloud Sovereignty Framework goes far beyond classic ISO/SOC certifications. It requires verifiable independence, control and exit capability – not just “security assurance”.
Complementary dimensions
ISO 27001 focuses on information security (processes, controls, risk management). The framework evaluates digital sovereignty: Who controls the provider? Which jurisdiction applies? Are there extraterritorial access possibilities (CLOUD Act, FISA)? How exit-capable are you?
ISO 27001 and sovereignty are complementary – the framework adds the control dimension to security certifications.
Hard evidence rather than declarations of intent
Instead of “yes/no” checklists, the framework requires verifiable evidence: contracts with court venue, key management architecture, SBOMs, data flow diagrams, exit runbooks.
Public documentation is included and verified.
Nuanced evaluation rather than binary decision
Classic procurements are often binary (certified/not certified). The framework enables nuanced ranking via the weighted sovereignty score.
Ideal for best-value procurements with differentiated evaluation.
Measurable sovereignty rather than marketing claims
The framework makes “sovereignty labels” without substantial decoupling visible: providers with non-EU control achieve at most SEAL-2, regardless of marketing claims.
Real sovereignty becomes measurable and verifiable.
Whether you’re applying the Cloud Sovereignty Framework for procurement or simply want to strengthen your digital independence – we support you with consulting, platform and long-term operations.