European Union: European Commission implemented Cloud Sovereignty Framework including public procurement access requirements

On 20 October 2025, the European Commission implemented public procurement access requirements in the Cloud Sovereignty Framework. The Framework provides criteria for public authorities to evaluate sovereignty assurance and effectiveness of cloud infrastructure providers seeking government contracts. It establishes eight Sovereignty Objectives (SOV-1 to SOV-8) covering strategic, legal, data, operational, supply chain, technological, security, and environmental control. Providers are assessed against Sovereignty Effectiveness Assurance Levels (SEAL), which range from no sovereignty (SEAL-0) to full digital sovereignty (SEAL-4). Tenders must meet a mandatory minimum SEAL level for each objective or face rejection, serving as a pass/fail gate. A complementary Sovereignty Score is calculated to rank qualified providers, acting as an award criterion for contract selection. Evaluation factors include EU-based governance, insulation from foreign laws, customer-controlled data encryption, and operational independence. The scoring is weighted most heavily on Operational Sovereignty (20%) and Supply Chain Sovereignty (20%). The results can also guide risk management during the contract's lifetime, determining which systems may be deployed based on the provider's assurance level.