On April 17, 2026, the European Commission awarded a €180 million tender to four European cloud providers: Post Telecom (Luxembourg), StackIT (Germany), Scaleway (France), and a consortium led by Proximus (Belgium). This was the first procurement process where digital sovereignty was explicitly measured and used as an award criterion. To do this, the Commission developed and published its Cloud Sovereignty Framework in October 2025, which divides sovereignty into eight domains and five assurance levels.
This article examines three things: how the framework is structured, what happened in this tender, and what it reveals about the direction of European procurement policy on digital autonomy.
The Framework in Broad Outline
The Cloud Sovereignty Framework v1.2.1 evaluates cloud providers across eight sovereignty domains (SOV-1 to SOV-8):
- SOV-1 Strategic Sovereignty: ownership, governance, and anchoring within the EU
- SOV-2 Legal & Jurisdictional Sovereignty: exposure to non-EU legislation such as the U.S. CLOUD Act or China’s Cybersecurity Law
- SOV-3 Data & AI Sovereignty: cryptographic control, data residency, and AI pipelines
- SOV-4 Operational Sovereignty: can EU actors operate the service without an external supplier?
- SOV-5 Supply Chain Sovereignty: origin of hardware, firmware, and software distribution
- SOV-6 Technology Sovereignty: openness, open-source, and non-proprietary APIs
- SOV-7 Security & Compliance Sovereignty: certifications, SOC location, audit rights
- SOV-8 Environmental Sustainability: energy efficiency and circularity
For each domain, a Sovereignty Effectiveness Assurance Level (SEAL) is assigned, on a scale of five:
- SEAL-0: no sovereignty; exclusive control by non-EU parties
- SEAL-1 Jurisdictional Sovereignty: EU law is formally applicable but only partially enforceable
- SEAL-2 Data Sovereignty: EU law is applicable and enforceable, but material non-EU dependencies and indirect control by non-EU parties remain
- SEAL-3 Digital Resilience: marginal non-EU control
- SEAL-4 Full Digital Sovereignty: no critical non-EU dependencies
The framework operates with two mechanisms. First, a minimum threshold: the contracting authority sets a minimum SEAL per domain. If a bidder falls below this threshold in any domain, they are excluded. Second, a Sovereignty Score that is factored into the award as a quality criterion. The weighting is fixed in the framework:
| Domain | Weight |
|---|---|
| SOV-5 Supply Chain | 20% |
| SOV-1 Strategic | 15% |
| SOV-4 Operational | 15% |
| SOV-6 Technology | 15% |
| SOV-2 Legal & Jurisdictional | 10% |
| SOV-3 Data & AI | 10% |
| SOV-7 Security & Compliance | 10% |
| SOV-8 Environmental | 5% |
The Commission justifies the lower weighting of SOV-2 and SOV-7 by arguing that these domains are already covered elsewhere in the procurement process. While this is defensible to some extent, it also means that the domains with the most direct impact on data access under foreign law (SOV-2, SOV-3, SOV-7) carry the lowest competitive weight after environmental considerations. It will therefore be important that these other criteria are also explicitly addressed and made visible in the award process.
The Tender in Context
The tender was launched in October 2025 as a mini-competition within the Cloud III Dynamic Purchasing System (DPS), a Commission framework agreement for cloud services. The budget amounts to €180 million over six years, averaging €30 million per year, divided among four parallel contracts. The customer base consists of EU institutions, agencies, and common undertakings covered by the Cloud III DPS—around a hundred entities.
This may sound like a large amount, but it is worth putting into perspective. The Cloud III DPS itself has a ceiling of €550 million. The sovereign tender therefore accounts for about a third of that capacity. Four months earlier, in December 2024, the same Commission awarded a contract to Amazon Web Services under the same DPS, also with a ceiling of €550 million over six years. In other words: a single hyperscaler received a ceiling three times larger than the sovereign tender for four providers combined.
In an answer to the European Parliament in May 2025, the Commission confirmed that 85% of its workloads run on private cloud, with the remaining 15% roughly evenly split between AWS, Microsoft Azure, and OVHcloud. There is no public total figure for Microsoft itself: the Commission contracts via so-called Inter-Institutional Licensing Agreements (ILAs), which are published in tender registers as having “no associated financial value.” Estimates based on the Bechtle framework contract (€52 million per year, Microsoft-dominated) and typical license costs put Microsoft’s volume for EU institutions at roughly €60 to €150 million per year. The sovereign tender is therefore smaller in budget terms than one year of Microsoft licenses for EU institutions.
This in itself says nothing about the significance of the tender. But it does say something about how much room the Commission has left to apply its own sovereignty yardstick to its existing hyperscaler contracts. That room remains largely unused.
What Is Not Clear to the Public
After the announcement, several methodological questions remain unanswered:
- The proportion of the Sovereignty Score within the total award criteria (price, technical quality, sovereignty) has not been made public;
- There may be overlap between SOV-8 (Environmental Sustainability) and the separate EMAS obligation in Annex VI of the Cloud III DPS (Article 15 of the Main Conditions). Whether the same environmental signal is measured in two places cannot be determined from the public documentation;
- The exact minimum SEAL levels per domain for this specific competition are included in the Mercell tender file, which is not publicly accessible.
With this context, three observations follow.
The Good: Sovereignty Becomes Measurable
For the first time, the Commission translates “sovereign cloud” from a political slogan into a procurement instrument. That is a shift in itself, and it deserves recognition.
The framework places the discussion on architectural ground rather than ideological ground. The eight domains are about where ownership resides, under which legal system a service operates, where the hardware comes from, and how open the technology is. None of these questions require a political preference for one provider over another. They demand verifiable properties of the service. This aligns with an approach in which sovereignty is a matter of jurisdictional and architectural coherence, not a choice between “European” and “American” on their own merits.
The direct market consequences are also real. Four European providers were selected. All four develop significant parts of their own technology. This is a market signal: demand from Europe’s largest public cloud customer can fuel European supply. By working with four parallel contracts, the Commission also builds in diversification—a real difference from the single-vendor model that many governments are currently locked into.
Finally, the framework is public, in version 1.2.1, and the Commission has announced it will publish a new version based on lessons from this tender. Other European governments, at regional and local levels, can adopt the methodology. This is a building block that has value beyond the EU institutions.
The Bad: SEAL-2 as a Threshold
However, on one point the framework works against itself. The threshold the Commission applied for this tender was SEAL-2. To be valid, a provider had to meet at least this level in all eight domains.
What SEAL-2 means is spelled out in the framework: “EU law applicable and enforceable, with material non-EU dependencies remaining; service, technology or operations under indirect control of non-EU third parties.” EU law applies, but material non-EU dependencies are allowed, as is indirect control by non-EU parties.
The most illustrative consequence of this can be seen in the composition of the consortium led by Proximus. It achieved SEAL-2 and was thus one of the four winning bidders. Part of its technical offering relies on S3NS, a joint venture between Thales and Google Cloud in which the underlying technology is provided by Google Cloud. In other words: one of the four providers labeled as “sovereign” in a European tender is built on top of an American hyperscaler stack.
The question this raises is not whether Google or Proximus did anything wrong. Both parties played by the rules of the tender. The question is how the framework makes it possible for American hyperscaler technology to serve as an underlying layer in an offering labeled sovereign. Three design choices make this possible together.
First, the threshold choice. SEAL-2 explicitly allows “material non-EU dependencies” and “indirect control by non-EU third parties.” Had the Commission chosen SEAL-3 or SEAL-4 as the minimum, a stack built on Google Cloud would no longer have qualified. The bar was set in the framework itself in such a way that a European operational framework can qualify as sovereign above non-European technology.
Second, the weighting. Within the Sovereignty Score, SOV-2 (legal & jurisdictional) counts for only 10%. This is the domain most directly related to extraterritorial legislation such as the CLOUD Act. Technology (SOV-6) counts for 15%, supply chain (SOV-5) for 20%. A provider can therefore compensate for a lower level in SOV-2 with high scores elsewhere. The framework allows jurisdiction to be balanced against other domains.
Third, the principle distinction between operation and technology. In its announcement, the Commission explicitly states: non-European technologies can, when operated within a strict and appropriate framework, meet the minimum level of sovereignty. This is a policy choice. It says that sovereign operation is sufficient, even if the underlying technology is produced and owned under another jurisdiction.
Whether these three choices are defensible depends on which threat model one wants to address. For threats that operate through the contract layer, this model does provide protection. For threats that work through the stack or via extraterritorial law, less so. In 2024, Microsoft had to admit in a French court that it cannot guarantee data sovereignty for European customers when a U.S. CLOUD Act injunction is issued. A carefully negotiated contract does not change that. The jurisdictional exposure lies in the technical chain, not on paper.
The criticism from CISPE puts this succinctly: there is no such thing as “75% organic,” and there is no such thing as “75% sovereign.” A weighted average across eight domains can hide material dependencies when high scores in other domains compensate for a weak SOV-2. The EuroStack analysis makes the same point more technically. The alternative EuroStack proposes is a hard, non-negotiable pass/fail threshold on jurisdictional control, before any further scoring takes place.
The substantive question that follows is simple. If SEAL-2 is the threshold for a tender that explicitly carries the sovereign label, what then is the threshold for tenders without that label? The threshold defines what sovereignty means in practice.
The Ugly: What the Commission Did Not Publish
The framework is intended to be measurable: per domain, per service, with a public methodology. The official announcement of the award does none of that.
Three things remain invisible.
First, per-domain SEAL scores are not published. The Commission reports only one aggregated SEAL level per winner. A provider may achieve SEAL-3 while scoring SEAL-2 in SOV-5 (supply chain) or a low level in SOV-4 (operational). The reader does not know this. For a framework designed to make risk profiles per domain visible, this is a loss of information.
Second, the Sovereignty Score per provider is not public. The weighting table is public (SOV-5 counts for 20%, SOV-8 for 5%), but the resulting scores are not. The Swedish Safespring voluntarily published its own score (86.25%) with a breakdown per domain. The Commission does not do this for its own four selected suppliers.
Third, different solutions are reported together. The Proximus bid is a consortium with S3NS (Google Cloud technology via Thales), Clarence, and Mistral. Each of these has a different sovereignty profile. A customer using Mistral via Proximus gets no visibility into how that specific component scores. The consortium-level SEAL-2 says nothing about Mistral as an independent provider.
The result is that the framework currently does not do what it promises. It was designed to help customers choose based on risk profiles that vary per domain. Without publication of scores per domain and per component, that choice cannot be made. The framework only works if the scores work.
There is also an institutional dimension. The European Parliament asked questions at the end of 2025 about the weighting, specifically whether the weight of SOV-2 should be increased. If the Commission does not apply its own methodology transparently in its own tenders, it undermines the framework as a reference point for other European governments considering adopting it.
BeLibre raises a concrete open question to the Commission: publish for each winning provider the SEAL levels achieved per SOV domain, as well as the underlying Sovereignty Score. This is a fair request. It asks for no revision of the award decision, no disclosure of commercially sensitive pricing information, and no redefinition of the framework. It simply asks that the instrument the Commission itself designed to make sovereignty measurable should also be applied in its measurable form. Without this publication, it is impossible for a customer, a journalist, a Member of Parliament, or another government to determine whether the methodology was applied consistently.
Conclusion
The Cloud Sovereignty Framework is a real step forward. Measurability, a public methodology, and anchoring in an actual procurement process are no small achievements. In a market where “sovereign cloud” has been a marketing label for years, the Commission is delivering a technically usable instrument.
From BeLibre’s perspective, we want to emphasize above all: the use of SEAL levels and the eight SOV domains is a major step forward. For the first time, Europe has a shared language to discuss digital sovereignty in terms that can be applied in a procurement process. That is a real achievement by the Commission, and v1.2.1 of the framework is a document on which progress can be built.
It is precisely for this reason that the outcome of this first application is a missed opportunity. The framework introduces nuance where only marketing labels existed before. It separates eight dimensions of sovereignty and shows that they do not always align. And then the end result is reduced to a publication that contains little more than a list of winners and one aggregated SEAL level per provider. The nuance the framework has built up is packaged away at the finish line.
This is not only regrettable for transparency. It undermines the usability of the instrument itself. The weighting of sovereignty across the eight domains is not a fixed quantity. It is a decision the customer must make, per service, per department, per use case. A hospital storing medical images weighs SOV-3 (data) differently than an agency running internal productivity tools. An entity sensitive to extraterritorial legislation weighs SOV-2 (jurisdiction) differently than one focused on supply chain continuity. The framework implicitly acknowledges this by separating eight domains and five levels. Without the per-domain results per winning provider, a customer cannot make that weighting. The four winners are then presented as interchangeable, while in reality they have different risk profiles.
Publication of the full SEAL matrix per provider—ideally with a breakdown per consortium component—would enable future customers under the contract to select the best candidate for their specific use case. Or, where appropriate, to conclude that none of the four is adequate for their needs and that a broader solution is required. This is not asking for more than the framework promises. It is asking for what the framework promises.
BeLibre therefore poses one concrete, feasible question to the Commission: publish for each of the four winning providers the SEAL levels achieved per SOV domain, together with the underlying Sovereignty Score. This requires no revision of the framework, no reopening of the award, and no disclosure of commercially sensitive information. It is simply publishing what has already been measured, in the form in which it was measured.
The first sovereign tender is not a failure. It is a prototype. Prototypes get versions. For version 2 of the framework, more structural improvements are also conceivable: a hard pass/fail threshold on SOV-2, or a higher weighting of SOV-2 within the Sovereignty Score in line with the Parliament’s request. But what is missing right now is not more framework. What is missing is the publication of the outcomes of the framework that already exists. Measurability is half the battle. The other half is that the measurement is also made public.
Sources
Primary
- Cloud Sovereignty Framework v1.2.1 (October 2025)
- Announcement of tender launch (October 10, 2025)
- Announcement of award (April 17, 2026)
- Cloud III DPS framework contract (DIGIT/2023/DPS/0031), TED notice
Budget Context
- AWS Cloud III award, December 2024, TED notice 22001-2025
- Commission response to EP question E-001866/2025 on cloud usage
- Bechtle framework contract for EU software reselling
Critical Analysis