blogg

The EU just defined Sovereign Cloud, here is our score

The Cloud Sovereignty Framework is now the reference for grading European clouds. It sets hard requirements on ownership, control, law, and infrastructure. Here is what it means and how Safespring measures up.

Daniel Melin

Daniel Melin

Business Development Manager

On 20 October 2025, the European Commission published a reference for grading European clouds: the Cloud Sovereignty Framework.

Inspired by initiatives from France1, Germany2, and European regulations3, as well as international practices in export controls, supply chain resilience, and security auditability, this framework4 offers a new approach to objectify a topic that has been hard to quantify and compare.

This new framework echoes the white paper that the EuroStack industry initiative published just weeks prior, titled ”A Proposed Framework for a ‘Buy European’ Regulation of Strategic Digital Procurement5.

Eight criteria to measure clouds with

The framework defines eight cloud sovereignty objectives, each graded from 0 to 4 (the SEAL level – Sovereignty Effectiveness Assurance Level). The criteria cover all key dimensions of digital independence.

The framework lists strategic, legal, operational and environmental aspects, but also supply chain transparency, technological openness, security and compliance with EU law.

In essence, it assesses how deeply a cloud provider is embedded in the European ecosystem (ownership, governance, alignment with EU priorities), under European jurisdiction (minimally exposed to non-EU law), how far it controls its data and services locally, and whether it operates autonomously without critical dependencies outside the EU. Additional criteria concern the supply chain, technology stack, security and compliance, and the environmental sustainability of cloud operations.

The rationale behind the framework

The European Commission are using the framework for its own cloud procurement. A €180 million tender was launched in 2025 to select up to four providers over six years, each meeting minimum levels across all eight objectives. Any offer failing to meet a criterion’s minimum level will be automatically rejected. The idea is to level the playing field by pushing the market towards shared standards and reducing the dependence on non-European services by giving decision-makers an impartial comparison tool.

It’s a direct response to the Chinese and American power play where European law is not followed and continuous surveillance of Europe. Another aspect is that the European market share in global IT is shrinking at a worrying rate.

Safespring’s self-assessment based on the framework

Safespring used the criteria in the Cloud Sovereignty Framework and conducted a honest and transparent self-assessment to find out how sovereign we currently are and where we could improve.

Sovereignty score
Safespring reaches 86.25% according to our own assessment of the EU Cloud Sovereignty Framework.

how we assess ourselves

Here’s how we assess ourselves across the eight sovereignty objectives (SEAL score from 0 to 4):

  1. SOV-1 Strategic Sovereignty score: 4.
    Safespring is 100 % a Swedish company and with only Swedish governance. We are owned by the employees and the board of directors. We have no dependency on non-European capital and all employees are European citizens living in EU/EES. Court orders from non EU/EES countries towards us are not valid and we don’t do business in countries outside EU/EES. Our technology stack is made up of open source technologies that cannot be suspended by another country or vendor.
  2. SOV-2 Legal & Jurisdictional Sovereignty score: 4.
    Only Swedish and EU law applies to our contracts, services and operations. Our datacenters are in Sweden and Norway. We have no exposure to legal systems outside EU/EES. All IPR creation are within EU/EES.
  3. SOV-3 Data & AI Sovereignty score: 4
    We don’t see, log or use our customers’ data in any way. We use encryption and other security measures to protect our customers but they are also free to use their own encryption with keys only they have access to. All data is stored in the datacenter the customer chose to use and cannot be exported to countries outside Sweden and Norway since we don’t have datacenters there.
  4. SOV-4 Operational Sovereignty score: 4
    We own, manage and control our entire tech stack, from server hardware to Kubernetes platform. We minimize technological dependency on non-European vendors. This operational autonomy enables us to evolve or migrate the service if needed, without proprietary lock-in.
  5. SOV-5 Supply Chain Sovereignty score: 2
    Server and networking hardware is impossible to buy without Chinese, Korean and/or American components and firmware. Since that’s how the market is we are highly dependent on non-EU/EES hardware. The software we use is open source and therefore global. We are not dependent on any company our country for the software stack we use. The datacenters we use are owned and operated by companies and staff from EU/EES.
  6. SOV-6 Technology Sovereignty score: 3
    We only use open source components, open API:s and open protocols. Our entire stack can technically and legally be deployed at customer site where the customer can further develop the stack without Safespring. All components, architecture and dependencies are documented and open. We lack server hardware, CPU:s, GPU:s and switches from EU/EES vendors.
  7. SOV-7 Security & Compliance Sovereignty score: 4
    We are compliant with all relevant Swedish and EU law like GDPR, NIS2 and OSL. We are certified according to FR2000 and very soon ISO 27001. All security operations are within EU/EES. We are fully transparent about bugs, security breaches and fixes with our customers. Our customers can audit our datacenters, operations and compliance measures.
  8. SOV-8 Environmental Sustainability score: 4
    All our datacenters have low PUE, reuse the heat generated and use 100 % green electricity. Our datacenter operators can provide data and certifications about all relevant sustainability parameters. We use our hardware until it can no longer be used and recycle it responsibly.

References

  1. Trusted Cloud Referential by CIGREF and ANSSI’s Cloud de Confiance ↩︎

  2. Souveräner Cloud ↩︎

  3. European regulations like ENISA, NIS2 and DORA. ↩︎

  4. European Commission’s Cloud Sovereignty Framework ↩︎

  5. Eurostacks publication, A Proposed Framework for a “Buy European” Regulation of Strategic Digital Procurement ↩︎

Safespring offers flexible and high-performance cloud infrastructure services.

Our Nordic solution provides you with the confidence that you can meet legal and regulatory requirements, such as GDPR, with ease.

Optimize your service with:

Watch demo

Let one of our Cloud Architects show you our platform.

Watch demo
×
Safespring Linkedin Safespring Twitter Safespring GitHub Safespring YouTube Safespring Facebook

Choose language

Safespring Sweden Safespring Norway Safespring English

© Safespring AB (559075-0245) 2017-2025