CISPEthe initiative that brings together cloud providers in the European Union, does not at all agree with the text of the so-called EU Cloud Sovereignty Framework (EU Cloud Sovereignity Framework). Its 38 members have issued a statement in which they criticize its text and say that it is worded so vaguely that it is likely to favor large American suppliers against local operators regarding cloud sovereignty.
Faced with the need for a clear definition of what a sovereign cloud is, which EU officials were expected to put in writing, this framework proposes what they call “sovereignty scoring”, which dilutes the standards that this type of cloud must meet and which, according to CISPE, can result in European cloud providers obtaining lower scores than hyperscalar ones from outside the European Union.
From CISPE they go even further, and suggest that this may be intentional, with the aim that organizations from different public sectors do not have to change their current contracts with AWS, Azure or Google Cloud. Currently, the revenue generated by cloud services in Europe mostly goes to one of these three providers.
Furthermore, CISPE points out that its members are trying to develop tools that are transparent, workable and useful in the real world, in a framework in which the sovereignty of cloud services has gained popularity throughout the region, thanks above all to the political and commercial relationship with the completely volatile Trump Administration. But also at the level of growing awareness of the high level of dependence of European companies and governments on American hyperscalers.
In the midst of this panorama, US technology companies have added additional levels of control to their plans to improve their perception and acceptance in the European Union. In addition, they have created sovereign cloud services in Europe, as Google has done. AWS is even launching an EU-based cloud business division, which is expected to be operational by the end of this year.
Despite this, as a Microsoft executive had to admit under oath before the French Senate last July, they cannot guarantee data sovereignty to European customers due to the United States Cloud Law. This law allows US authorities to request access to any data held by US companies anywhere in the world. Therefore, the European sovereignty of the data hosted in its data centers, even if they were in EU territory, may be compromised.
A few days ago, the European Commission announced an offer, within the framework of the Cloud III Dynamic Procurement System, that will allow EU institutions and agencies to obtain sovereign cloud services for six years. With it, there will be up to four providers that will win contracts based on the new Cloud Sovereignty Framework between December 2025 and February 2026. Hence CISPE’s comments on the framework’s scoring system.
For their part, CISPE members are working on the development of labels that allow Sovereign Cloud services to be differentiated from Resilient Operational Cloud servicessomething that is not contemplated in the EU framework. The first is based on Gaia-X level three requirements, which guarantees immunity from non-EU interference and gives services full European control.
Meanwhile, services that achieve the second label will offer their clients, especially those who have to work in global supply chains, verifiable levels of legal and operational control over their data, even outside the EU.
