Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

In September, at the Gartner Global CISO Summit in New Orleans, I outlined five forces breaking the digital order. The fourth—technology bifurcation—described how sovereignty is no longer confined to borders or trade law but is now being written directly into silicon and standards. A few weeks later, China proved the point with the release of UBIOS, an indigenous firmware stack designed to eliminate foreign code from the most trusted layer of computing.

Now, Brussels has offered its response, not in firmware, but in spreadsheets.

The EU Cloud Sovereignty Framework (v1.2.1, October 2025) doesn’t control what code runs at boot time; it controls who gets paid. If a cloud provider fails the minimum SEAL level on even one of eight sovereignty objectives, it is disqualified from the €180-million initial procurement, no exceptions, no appeals, and no diplomatic courtesy. Where China hard-codes sovereignty into firmware, Europe encodes it into procurement rules. The intention is the same: define the boundary, make it measurable, and use it to reclaim strategic independence from external control.

The question is whether spreadsheet sovereignty can deliver what UBIOS hard-codes—strategic independence from foreign leverage, or whether it will accelerate the very fracture it hopes to prevent.

The Framework Decoded

The Cloud Sovereignty Framework introduces Sovereignty Effectiveness Assurance Levels (SEAL-0 → SEAL-4).

• SEAL-0 – No Sovereignty: Services under exclusive non-EU control.

• SEAL-1 – Jurisdictional Sovereignty: EU law applies but enforcement is limited.

• SEAL-2 – Data Sovereignty: Material non-EU dependencies remain.

• SEAL-3 – Digital Resilience: Minimal external control.

• SEAL-4 – Full Digital Sovereignty: Complete EU control, no critical foreign dependencies.

Each tenderer receives a Sovereignty Score weighted across eight objectives, and failing a minimum SEAL threshold on any single objective means automatic disqualification. Among those who qualify, the overall score influences award rankings.

On firmware, the framework examines the “jurisdiction and provenance of embedded code controlling hardware”, scrutinising CPUs, GPUs, storage, and network components for European origin or verifiable transparency. It’s UBIOS logic repurposed for procurement, where Beijing mandates indigenous firmware, and Brussels demands auditable provenance.

Encryption policy requires that “only the customer, not the provider, has effective control over cryptographic keys.” If U.S. law can compel a provider to surrender access, the service fails—no matter how strong its technical isolation.

Jurisdictional exposure is explicitly scored: the framework lists the U.S. CLOUD Act and Chinese Cybersecurity Law as examples of extraterritorial reach incompatible with higher SEAL levels. It names what diplomacy usually avoids: sovereignty cannot coexist with compulsory foreign legal access.

The framework came into effect through an initial six-year procurement for EU institutions, with up to four providers expected to win contracts between December 2025 and February 2026. It remains guidance rather than regulation, but it sets a precedent that could soon shape eligibility for all public-sector cloud tenders in Europe.

The Lattice Test

The framework’s strategic test is straightforward: can Europe preserve interoperability while building resilience, or will its internal contradictions collapse the middle ground?

Brussels is trying to construct what might be called lattice logic—graduated thresholds that preserve cross-border operations while reducing critical dependencies. The SEAL system allows shades of sovereignty rather than a binary pass or fail. Weightings of 20 percent for supply chain, 15 percent each for operational, strategic, and technological sovereignty, and 10 percent for legal, data, and compliance objectives reveal a policy trying to balance ambition with realism. It is Europe’s attempt to build what I call the Strategic Lattice: a world in which geopolitical tension is managed through minimum viable interoperability instead of outright fragmentation.

Yet lattice stability depends on credible enforcement, and enforcement demands institutional backbone. The framework lacks the machinery that gives other EU regimes their power: no penalties, no designated authority, and no sustained technical-audit capacity. By comparison, GDPR, NIS2, and DORA all carry both enforcement and consequence; GDPR alone has produced over €5.6 billion in fines since 2018 [1]. Without similar mechanisms, the Cloud Sovereignty Framework risks becoming what critics already call regulatory theatre: architecturally sophisticated, operationally hollow.

Meanwhile, U.S. hyperscalers continue to localise at scale. AWS has committed €7.8 billion to its Brandenburg region [2]; Microsoft, over €20 billion in European infrastructure within sixteen months [3]; and Google has expanded sovereign partnerships with Thales and T-Systems [4]. These projects deliver local staffing, customer-held keys, and EU-incorporated entities, yet they remain legally American, still bound by the CLOUD Act. As one French MP observed during Senate testimony, “A cloud can be in France and still answer to Washington.” [5a]

Operational sovereignty can be engineered; jurisdictional sovereignty requires geopolitical leverage that Europe still lacks.

The Delaware Problem

Consider an EU pharmaceutical company running high-value research workloads on Microsoft Azure Germany. Its data sits in Frankfurt, encryption keys are customer-controlled, and operations are handled by EU citizens employed by Microsoft Deutschland GmbH. On paper, it qualifies for SEAL-3.

Now imagine the U.S. Drug Enforcement Administration issues a CLOUD Act order to Microsoft Corporation in Delaware, demanding tenant-level access. Microsoft Deutschland asserts that German law prevents compliance, yet the parent company faces contempt charges if it refuses.

The framework anticipates such conflicts; it scores them at SEAL-1 or SEAL-2 depending on the degree of exposure but provides no circuit breaker, no adjudicator, and no tested fallback plan. The customer must either comply through its provider or migrate mid-crisis to a European vendor it has never validated.

This is operational sovereignty colliding with jurisdictional sovereignty. The framework can measure the gap, but it cannot close it. That limitation, more than any technical weakness, will determine whether Europe’s lattice holds or slides into a Red Zone of regulatory incompatibility.

Enforcement, Markets, and the Math of Dependence

There is no enforcement body, no penalty structure, and no budget for technical verification; compliance simply determines who gets invited to bid.

The contrast with GDPR and NIS2 is stark—and so is the market reality. U.S. hyperscalers control roughly 70 percent of Europe’s €61 billion cloud market, while European providers hover around 15 percent [5]. Even perfect compliance cannot rebalance that scale. The graduated scoring is therefore a political compromise—an attempt to signal ambition without upending dependence.

The economics are no kinder. Achieving full digital sovereignty would cost around €3.6 trillion over a decade—twelve times more than a partnership model [6]—and likely leave Europe three technology generations behind its competitors. Spreadsheet sovereignty is cheaper than rebuilding the stack but still costly enough to test Europe’s fiscal patience.

What Boards Should Do

Boards cannot legislate sovereignty, but they can design for it.

Interrogate vendor SEAL claims. When a provider claims SEAL-3 compliance, ask which legal mechanism prevents CLOUD Act enforcement and how quickly it can respond to a non-EU order.

Map workloads by sovereignty need. Identify which systems truly require SEAL-3 assurance and which can safely operate under SEAL-1 contracts.

Engineer for migration speed. A multicloud strategy that cannot move a critical workload within 90 days is theatre, not resilience.

Track policy as intelligence. Regulatory divergence is now as important an indicator as a state-sponsored intrusion.

Push decision-making closer to the risk. Fragmented governance is slow governance; authority must sit where information concentrates.

The central question for executives is no longer “Are we compliant?” but “Which dependencies can be weaponised against us, and how fast can we replace them?”

The Bootloader of Procurement

Europe’s framework captures a broader truth: when a region cannot compete on innovation speed, it competes on governance reach. Whether that becomes strategic patience or strategic paralysis will depend on how quickly the framework grows teeth.

UBIOS shows sovereignty imposed with binary clarity at the firmware layer; the EU’s framework shows sovereignty negotiated through twenty-seven democracies and filtered by trillion-dollar lobbyists—optional, gradual, and slow. Yet both rest on the same logic: when dependencies become weapons, control becomes currency. China chose architectural independence; Europe chose procurement governance. Neither guarantees resilience, but both recognise that sovereignty can no longer be deferred.

The crucial difference is enforceability. UBIOS is mandatory within Chinese jurisdiction, while the Cloud Sovereignty Framework remains voluntary guidance. One operates at the millisecond before an operating system loads; the other, at the months-long cadence of contract awards. The open question is whether procurement policy can ever deliver strategic effect when the infrastructure itself remains under foreign jurisdiction.

Australia faces a similar dilemma. The government’s Whole-of-Government Hosting Strategy and its AUD $2 billion Top Secret Cloud partnership with AWS [7] mirror Europe’s procurement-based approach: operational control is local, but jurisdictional control remains offshore. Canberra, like Brussels, is learning that sovereignty measured through procurement checklists is not the same as sovereignty enforced through law. Jurisdiction travels with the parent company, not the rack. The real test is whether Australia can build credible enforcement and domestic capability before legal dependence hardens into strategic vulnerability.

Europe’s wager is that measurement can substitute for power—an attempt to reverse-engineer leverage through rules and thresholds, much as Basel III once did for banking. Whether that preserves the Strategic Lattice or accelerates Red Zone drift will hinge on three indicators:

1. Whether France, Germany, and the Netherlands make SEAL thresholds mandatory for national procurement by mid-2027.

2. Whether the Commission proposes an enforcement mechanism within eighteen months.

3. Whether any U.S. hyperscaler attains SEAL-4 by 2027—a near-impossibility that will reveal how much of this sovereignty is real and how much is theatre.

In systems architecture, as in geopolitics, the winner is not the actor with the most elegant framework but the one still able to operate when frameworks collide.

John Ellis writes about the geopolitics of technology and cyber security at GeopoliticalCyber. The views expressed are his own.

Sources

[1] DLA Piper, GDPR Fines and Data Breach Survey, Jan 2025; CMS Law, GDPR Enforcement Tracker Report, Mar 2025.
[2] AWS, AWS plans to invest €7.8 billion into the AWS European Sovereign Cloud, May 2024.
[3] Microsoft, Landmark EU Data Boundary announcement, Feb 2025.
[4] Google Cloud, Advancing digital sovereignty on Europe’s terms, Oct 2022; Advances in sovereignty and security, May 2025.
[5] Synergy Research Group data, 2025; Heise Online, July 2025.
[5a] French Senate hearing on Cloud Act implications, Paris, July 2024 (reported in Le Monde and DCD).
[6] CEPA, Digital Sovereignty: Can Europe Afford It?, Nov 2025.
[7] Australian Department of Defence, AWS Top Secret Cloud Partnership, July 2024; Office of National Intelligence, TS Cloud Announcement, July 2024.