European Union: European Commission implemented Cloud Sovereignty Framework cybersecurity regulations

On 20 October 2025, the European Commission implemented cybersecurity regulations in the Cloud Sovereignty Framework. The Framework provides criteria for public authorities to evaluate sovereignty assurance and effectiveness of cloud infrastructure providers seeking government contracts. The Framework establishes that cloud sovereignty supplements security and mandates that core cybersecurity functions, including "Security Operations Centres and response teams," must operate "exclusively under EU jurisdiction" to ensure independence from foreign influence. The policy requires that customers or EU authorities have direct control over security monitoring, as well as the ability to develop and deploy security patches. For data protection, the Framework insists that the customer be the sole agent with cryptographic access to their data and that data access and control must remain within the EU. It also demands government visibility into the jurisdiction of hardware and software throughout the entire supply chain, including audit rights. Providers must also demonstrate strategic resilience against external requests to modify service support, including in circumstances where vendor support is disrupted. Providers are obligated to report security breaches in a transparent and timely fashion compliant with existing EU regulations, including adherence to the General Data Protection Regulation (GDPR), NIS2 (Network and Information Systems), and DORA (Digital Operational Resilience Act).