Brussels institutional press room after a European Commission briefing, journalists packing press kits with German and English headings into bags, empty wooden chairs and a folded EU placard on the rostrum

EU SEAL Framework 2026: How Sovereign Are Europe's New Sovereign Clouds Really?

The European Commission awards EUR 180 million using a measurable sovereignty grid. Three consortia reach SEAL-3, one only SEAL-2 with Google in the background.

On April 17, 2026 the European Commission awarded its first cloud contract under the new Cloud Sovereignty Framework. Four consortia from Luxembourg, Germany, France and Belgium share up to EUR 180 million over six years. The five SEAL levels and eight SOV objectives now serve as the reference for every procurement in public bodies, regulated industries and the wider European market.

Summary

On April 17, 2026 the European Commission awarded a sovereign cloud contract worth up to EUR 180 million over six years to four European consortia for the first time, applying the new Cloud Sovereignty Framework as a binding criterion. Three consortia (Post Telecom with OVHcloud and CleverCloud, STACKIT of Schwarz Group, Scaleway) reached SEAL-3 (Digital Resilience), the Proximus consortium with S3NS, Clarence and Mistral only SEAL-2 (Data Sovereignty). The framework measures sovereignty on a scale from SEAL-0 to SEAL-4 across eight weighted objectives, with supply chain carrying the highest weight at 20 percent. The inclusion of S3NS, a joint venture of Thales and Google Cloud, has triggered a sharp debate about sovereignty washing: CISPE, the body of 38 European cloud firms, calls it a clear own goal. For European decision-makers the framework offers the first reliable comparison grid beyond the marketing terms sovereign cloud and EU region. Recommendation: anchor SEAL scores in tenders and RFPs, audit existing cloud contracts against SOV-2, SOV-4 and SOV-5, and monitor the Tech Sovereignty package due May 27, 2026.

What the Commission awarded on April 17

On April 17, 2026 the European Commission awarded its first cloud contract using a measurable sovereignty grid. Four European consortia share up to EUR 180 million over six years, originally tendered in October 2025 under the Cloud III Dynamic Purchasing System. Sovereignty becomes a quantifiable category instead of a marketing term.

EUR 180m
contract volume over six years for four consortia
4
European consortia from DE, FR, LU and BE
5
SEAL levels from SEAL-0 to SEAL-4
8
weighted SOV objectives in the framework

The structural backdrop is stark: US hyperscalers control around 70 percent of the European cloud market, European providers around 15 percent. Politically that is no longer tenable, and technically it has long been hard to measure. With the Cloud Sovereignty Framework the Commission has built an instrument that makes the sovereignty claim auditable. Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security and Democracy, leads the initiative.

Non-European technologies, when operated within a strict and appropriate framework, can meet the minimum level of sovereignty we require.

European Commission, press release ,

For innobu's audience of strategic decision-makers in mid-market, enterprise and the public sector, this is a turning point. Anyone planning cloud procurement now has an official scale to work with. We have covered the broader European sovereignty debate in our analysis of France's sovereignty directive and the deeper investigation into lobbying around EU data centres .

Framework

The SEAL Framework: Sovereignty in Five Levels

The core of the new framework is the SEAL scale. It runs from SEAL-0 (no sovereignty claim) to SEAL-4 (full EU supply chain from chip to software). Public bodies, regulated industries and the wider market can finally evaluate how much control European actors really exert over a cloud service. The scale replaces self-declared assertions with auditable assessment.

SEAL (Sovereignty Effectiveness Assurance Levels) is the five-step assessment scale from the European Commission that measures how much sovereign control European actors actually exercise over a cloud service. The minimum threshold for awarding EU public contracts is SEAL-2.
Level Name What it guarantees
SEAL-0 No sovereignty Full dependence on third countries, no protection from extraterritorial intervention
SEAL-1 Jurisdiction EU law applies to the contract, but technical control remains external
SEAL-2 Data sovereignty Data under EU control, key management in EU hands, minimum threshold for the tender
SEAL-3 Digital resilience Immunity to disruption from non-EU supply chains, EU staff can operate the service independently
SEAL-4 Full digital sovereignty Complete EU supply chain from chips to software, no third-country dependency permitted
Printed European Commission consultation document on a desk corner with a yellow highlighter line across a provider rating row, a black ballpoint pen and a coffee mug at the upper edge of the frame
The Cloud Sovereignty Framework turns sovereignty into a documentable procurement category for the first time.

The tender set SEAL-2 as the minimum threshold. Three of the four consortia exceeded that bar, one met it exactly. In its first application the framework therefore proves that it can produce real differentiation rather than mere window-dressing. The Commission has also been clear that SEAL-4 is the target state for particularly sensitive domains, but no provider in the current tender achieved it.

Key takeaway

With SEAL, Europe finally has a shared vocabulary for cloud sovereignty. From now on, anyone speaking about sovereign cloud should be able to name the SEAL score, otherwise it is marketing.

The eight SOV objectives and their weighting

The framework does not measure sovereignty along a single dimension. Eight objectives (SOV-1 to SOV-8) sum to 100 percent and weight different aspects. The highest weight of 20 percent goes to supply chain because this is where the structural dependence on US hardware and hyperscaler software bites the hardest. Data and AI are bundled into a joint objective at 10 percent.

SOV-5 Supply Chain
20%
SOV-1 Strategic
15%
SOV-4 Operational
15%
SOV-6 Technology
15%
SOV-2 Legal and Jurisdictional
10%
SOV-3 Data and AI
10%
SOV-7 Security and Compliance
10%
SOV-8 Environmental
5%

What the objectives cover in detail

  • SOV-1 Strategic Sovereignty (15%): EU ownership, protection from foreign influence, ownership structure of the provider.
  • SOV-2 Legal and Jurisdictional (10%): Insulation from extraterritorial laws, particularly the US CLOUD Act and FISA 702.
  • SOV-3 Data and AI (10%): Data location, encryption, key management, independent AI services without hyperscaler dependency.
  • SOV-4 Operational Sovereignty (15%): EU staff can operate, maintain and recover services independently in case of crisis.
  • SOV-5 Supply Chain (20%): Geographic origin of components, semiconductors, software stacks and suppliers.
  • SOV-6 Technology (15%): Open standards, open-source availability, no vendor lock-in, workload portability.
  • SOV-7 Security and Compliance (10%): EU certifications such as BSI C5, EUCS, independent patching, EU-based security operations.
  • SOV-8 Environmental Sustainability (5%): Energy efficiency, carbon footprint, disclosure of consumption data.

Why the weighting matters: A provider can compensate for individual objectives but not all of them. A weak score in SOV-5 can be partly offset by strength in SOV-1 and SOV-4. That compensation logic has triggered the first round of debate, because it can lift borderline cases like S3NS into the SEAL-2 zone.

The sovereignty washing debate around S3NS

The most controversial decision is the inclusion of S3NS in the Proximus consortium. S3NS is a joint venture between Thales (majority shareholder) and Google Cloud, operating Google technology under EU oversight. The Commission justifies the inclusion by stating that non-European technologies can reach the minimum level of sovereignty within a strict framework. CISPE, the body of 38 European cloud providers, sees this as an own goal.

Long row of server racks behind a glass partition in a European colocation data hall, patch cable bundles and small green and amber status LEDs visible, a maintenance trolley parked at the far end of the corridor
S3NS runs Google technology in European data centres under majority control of Thales, yet the parent group remains subject to the US CLOUD Act.
Position S3NS and Commission
Full majority control by Thales
EU staff with security clearances
Physically segregated data centres in France
Strict logical and operational separation
Google support limited, no system access
Position CISPE and critics
Google remains supplier of critical software components
CLOUD Act and FISA 702 still apply to Google
A Microsoft executive admitted under oath that protection from US orders cannot be guaranteed
SEAL-2 as a minimum threshold institutionalises sovereignty washing
Weakens the signal to pure EU providers

Recognising S3NS, which leverages Google's cloud technology, as sovereign is clearly an own goal and threatens to institutionalise sovereignty washing at the highest levels.

Francisco Mingorance, Secretary General CISPE, April 2026

The legal situation is unambiguous. The US CLOUD Act allows US authorities to compel US cloud companies to disclose data anywhere in the world, including data held in the EU. A Microsoft executive admitted under oath before the French Senate in 2021 that the company cannot guarantee French customer data is shielded from US orders. Operational separation may be robust in practice, but it does not remove the legal access path.

The decision is not without merit. Europe needs functioning AI platforms, and Mistral as a European foundation model provider needs scalable infrastructure that is currently only available with hyperscaler technology in the loop. Anyone treating SEAL-2 as a pragmatic transition with SEAL-3 or SEAL-4 as the actual goal can defend the move. Anyone accepting it as a permanent end state has lost the sovereignty argument.

European perspective: STACKIT, Mistral and the CADA roadmap

For European decision-makers three implications are immediate. STACKIT of Schwarz Group is the first German hyperscaler challenger with an official EU sovereignty endorsement. The framework will become the reference well beyond the Commission tender. The Cloud and AI Development Act (CADA) is set to translate the framework into binding law.

1
German SEAL-3 provider in the tender (STACKIT, Schwarz Group)
200 MW
European AI compute capacity that Mistral plans by end of 2027
May 27
scheduled date for the Commission's Tech Sovereignty package

What changes for European actors now

  • STACKIT as national champion: Schwarz Group's cloud brand has the first binding SEAL-3 endorsement and is now directly bid-ready for federal and regional procurement.
  • Mistral with European infrastructure: 13,800 NVIDIA GB300 GPUs in a Paris cluster of 44 megawatts, financed with USD 830 million from a consortium of seven banks led by Bpifrance, BNP Paribas, Credit Agricole and HSBC.
  • SAP EU AI Cloud: The Walldorf company announced four deployment models in November 2025, including Delos Cloud for the German public sector. We have placed this in context with SAP MaKo Cloud and SAP Joule 2026 .
  • Cloud and AI Development Act: CADA is now scheduled for May 27, 2026 after two postponements. It is meant to convert the framework from voluntary assessment into a binding obligation.
  • Public sector as pilot market: Authorities across the EU increasingly orient their procurement around EU frameworks. The kill-switch concern from the Lunendonk study 2026 (83 percent of DACH companies see such a scenario as realistic) finally has a structured response.

Scaling our infrastructure in Europe is critical to give our customers innovation and autonomy and to ensure AI stays at the heart of Europe.

Arthur Mensch, CEO Mistral AI ,

Compared to the French directive of April 8, 2026 that we covered in France acts, Germany hesitates , the two movements complement each other: France delivers the political demand, the Commission delivers the measurement instrument. Together they raise pressure on European public bodies to take their own sovereignty strategies off the shelf.

Challenges and risks

The framework has weaknesses that European decision-makers need to understand. CISPE and IT lawyers criticise that several criteria remain open to interpretation, which can favour large providers with lobbying capacity. The SEAL score alone also says nothing about functionality, performance or price. A SEAL-3 platform without a matching AI stack helps an insurer little if they want to train models on their own data.

Low minimum threshold

SEAL-2 as the eligibility bar lets US-linked stakes through as long as operational separation is documented. The framework normalises constellations like S3NS for the next six years.

Compensation effects

The eight objectives can be traded against each other. Weakness in supply chain (SOV-5) can be offset by strength in strategy (SOV-1) and operations (SOV-4). Anyone reading only the headline score misses that.

Functional gaps

European providers are thin in foundation models and managed AI services. Mistral, Aleph Alpha and OpenGPT-X fill the gap only partly. Anyone needing top-tier language models still ends up at US providers.

Scaling question

EUR 180 million is enough for the EU institutions, not for the entire European public sector. Member states, utilities and the health system need their own programmes, otherwise the framework remains a Brussels showcase.

Risk of double procurement: Public bodies could hold SEAL-3 contracts and hyperscaler accounts in parallel and gain nothing in practice. Operational sovereignty only emerges when the switch is actually completed. US hyperscalers are building EU sovereign offerings (Microsoft Cloud for Sovereignty, Google Sovereign Controls, AWS European Sovereign Cloud) that can reach SEAL-2 and compete on functional breadth.

Playbook

What enterprises should do now

For European decision-makers the SEAL framework is the chance to anchor sovereignty in procurement, architecture and contracts without ideological debates. The next twelve months will decide whether the grid becomes the standard for public bodies and regulated industries, or remains a Brussels-only reference. Acting now creates a negotiating advantage with providers.

  1. Anchor SEAL scores in tender specifications

    For every new cloud tender require at least SEAL-2 for personal data and SEAL-3 for critical infrastructure. Treat the scale as a binding evaluation criterion in RFPs, not just as a marketing question.

  2. Audit existing contracts against SOV priorities

    SOV-2 (legal and jurisdictional), SOV-4 (operational control) and SOV-5 (supply chain) are the most sensitive points in current hyperscaler contracts. A baseline audit clarifies the actual sovereignty posture.

  3. Evaluate AI workloads separately

    Foundation model providers like Mistral, Aleph Alpha or OpenGPT-X are less SEAL-aligned than pure infrastructure. Procuring model and platform separately gives more flexibility to manage sovereignty.

  4. Document an exit strategy

    57 percent of DACH companies have no plan B for hyperscaler outages, according to Lunendonk 2026. A documented exit strategy with defined data and service paths is a precondition for any serious sovereignty claim.

  5. Use the negotiating leverage with US providers

    US providers will improve their EU sovereign offerings in 2026 because the framework adds pressure. Negotiating now allows you to anchor additional guarantees on key management, EU staffing and audit rights.

  6. Track the CADA proposal on May 27

    The Cloud and AI Development Act will translate the framework into binding law. Reviewing now which requirements will affect your cloud setup buys 12 to 18 months of lead time for adjustments.

SEAL-2
minimum threshold for personal data
SEAL-3
recommended for critical infrastructure
12-18
months of lead time before CADA enforcement

Further reading

European Commission: Press release on the sovereign cloud award (April 17, 2026) Help Net Security: EU awards EUR 180 million for sovereign cloud The Register: Sovereign cloud pick with Google in the background VSHN: Detailed analysis of SEAL and SOV objectives Interoperable Europe: Cloud Sovereignty Framework methodology EU-Startups: Mistral expands the Paris GB300 cluster innobu: Digital sovereignty - France acts, Germany hesitates innobu: Microsoft dictates EU transparency rules innobu: Sovereign AI and EU-first solutions for Europe innobu: Sovereign AI for Germany's industrial future innobu: OpenAI for sovereign AI in the public sector innobu: SAP Joule 2026 and agentic enterprise AI

Frequently asked questions

What is the EU Commission's SEAL framework? +

SEAL stands for Sovereignty Effectiveness Assurance Levels and defines five maturity levels for the sovereignty of cloud services. SEAL-0 means no sovereignty, SEAL-2 guarantees data sovereignty, SEAL-3 ensures resilience against disruption from non-EU supply chains, and SEAL-4 requires a full EU supply chain from chips to software. The framework was applied for the first time on April 17, 2026 in a binding award worth EUR 180 million.

Which four providers won the EU Sovereign Cloud tender 2026? +

Four consortia were awarded contracts: Post Telecom of Luxembourg with OVHcloud and CleverCloud, STACKIT of Schwarz Group from Germany, Scaleway from France and Proximus from Belgium with S3NS, Clarence and Mistral. Three consortia reached SEAL-3, the Proximus consortium only SEAL-2. The contract runs for six years and covers up to EUR 180 million.

What are the eight SOV objectives of the Cloud Sovereignty Framework? +

The framework measures sovereignty across eight weighted objectives: strategic sovereignty (15 percent), legal and jurisdictional (10 percent), data and AI (10 percent), operational sovereignty (15 percent), supply chain (20 percent, highest weight), technology (15 percent), security and compliance (10 percent) and environmental sustainability (5 percent). Supply chain carries the highest weight because the structural dependence on US hardware and hyperscaler software is hardest to overcome there.

Why does CISPE criticise the inclusion of S3NS in the tender? +

S3NS is a joint venture between Thales and Google Cloud that operates Google technology under EU oversight. CISPE, the body of 38 European cloud providers, sees the recognition as sovereign as a clear own goal and warns against institutionalised sovereignty washing. S3NS argues that it is fully controlled by Thales, employs EU staff and runs physically segregated data centres. Even so, Google as a US corporation remains subject to the CLOUD Act.

What does the framework mean for European authorities and enterprises? +

European public bodies and regional administrations gain the first hard comparison framework for cloud procurement beyond marketing terms like sovereign cloud or EU region. Mid-market and enterprise can require the SEAL score in tenders and RFPs as a binding criterion. Recommendation: at least SEAL-2 for personal data, SEAL-3 for critical infrastructure. STACKIT of Schwarz Group is the only German SEAL-3 provider in the current tender.

When does the Cloud and AI Development Act arrive? +

The European Commission has already postponed the publication of the entire Tech Sovereignty package twice and now plans the proposal for May 27, 2026. The Cloud and AI Development Act is intended to convert the SEAL framework from a voluntary assessment into binding law, alongside Chips Act 2, an open-source strategy and a roadmap for AI in energy. The package is led by Henna Virkkunen, Executive Vice-President for Tech Sovereignty.