New framework allows EU firms to check if 'sovereign' cloud services are truly sovereign

Frustrated with “sovereign cloud" offerings that it says are nothing of the sort, CISPE has launched a new framework aimed at helping enterprises check if they’re getting exactly what they’re paying for.

CISPE’s Sovereign and Resilient Cloud Services Framework has been developed, defined, and tested by European cloud infrastructure providers, the trade body said in a statement.

The new scheme will allow businesses to easily select cloud services that have been audited to verify their sovereign and resilience credentials.

The aim is to provide a clear, certifiable definition of control in cloud services, helping customers and public authorities identify offerings that give them effective control over data, infrastructure, workloads, and operations.

“Think of the CISPE Sovereign Badge as ‘puncture-proof tyres’ on a car: it guarantees immunity from external interference with your cloud services or data," said Francisco Mingorance, secretary general of CISPE.

"By contrast, the CISPE Resilient Cloud Service Badge represents ‘run-flat tyres’ — you may encounter disruption, but you can continue your journey without losing control.”

The framework has two strands. First and foremost, sovereign services must ensure control by design – meaning they're owned, governed, and operated within the relevant jurisdiction and prevent foreign powers from accessing, interfering with, or disrupting them.

Meanwhile, resilient services ensure control by capability, CISPE said. Even where some non-sovereign elements exist, customers retain control through robust technical and operational safeguards.

These include customer-managed encryption, portability, independent backups, and the ability to switch providers or redeploy workloads.

CISPE said that more than 40 services have already been declared against the CISPE framework, including sovereign and resilient European AI assistant services, public cloud, Kubernetes, and storage offerings. More compliant services are expected in the coming weeks, it said.

Tackling “sovereignty washing”

The trade group has long been concerned about “sovereignty washing”, arguing last year that the EU Cloud Sovereignty Framework did little to reduce reliance on American cloud providers and hyperscalers.

"Rather than bringing clarity, the Framework muddies the waters by introducing a murky 'sovereignty score' that averages the impossible with the irrelevant," it said.

"In practice, most European cloud service providers are likely to score lower than foreign hyperscalers under this system – perhaps that’s the idea – preserving the status quo under a cloak of “sovereignty."

Last month, the group wrote to Henna Virkkunen, the EU’s EVP for Tech Sovereignty, expressing concerns about the upcoming Cloud and AI Development Act (CAIDA).

The letter called for a number of actions aimed at shoring up sovereignty capabilities across the region, including:

• Sovereignty by control, focusing on ownership, governance, and legal protection.
• Stronger resilience where sovereign services are not available.
• Reserved procurement shares for EU-based cloud providers.
• A policy reinforcing competition and interoperability.
• Taxpayer-funded investment in European companies.

"This first comprehensive European cloud policy should strengthen Europe’s digital capacity by prioritizing procurement and investment in sovereign European solutions that foster a competitive cloud ecosystem," the trade group said.

"If it instead enables 'sovereignty washing' or procurement strategies that further entrench the dominance of non-European hyperscalers, it risks undermining the very objectives it seeks to achieve."

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.