The European Commission has awarded four cloud-computing contracts to suppliers it says meet new “sovereignty” criteria designed to keep public-sector data and services under EU rules.
The tender was launched in October as part of work to strengthen the EU institutions’ “digital sovereignty posture” and encourage cloud services that comply with EU laws and values, the Commission informed on Friday.
It noted that it split the deal between four providers to increase diversification and resilience and to avoid reliance on a single supplier.
The selected providers are a Luxembourgish-French partnership led by Post Telecom with OVHCloud and CleverCloud; Germany’s StackIT (Schwarz Group); France’s Scaleway (Iliad Group); and a Belgian-French-Luxembourgish partnership led by Proximus using services from S3NS (a Thales and Google Cloud joint venture), Clarence and Mistral.
Measuring “cloud sovereignty”
To assess bidders, the Commission said it developed a Cloud Sovereignty Framework that turns “digital sovereignty” into procurement criteria that can be measured, covering eight areas including legal and operational considerations, supply chain transparency, security, and compliance with EU laws.
The framework uses “Sovereignty Effectiveness Assurance Levels”, known as SEAL, ranging from SEAL-0 to SEAL-4, with SEAL-4 requiring an EU supply chain from chips to software.
Bidders had to reach at least SEAL-2, described as a “Data Sovereignty” level where services follow EU laws and regulations without customers needing extra technical measures to protect their data.
Post Telecom with OVHCloud and CleverCloud, StackIT and Scaleway reached SEAL-3, while Proximus/S3NS reached SEAL-2.
The Commission said it will apply the sovereignty criteria across digital services it provides to its departments and other EU bodies, and will publish an updated version of the Cloud Sovereignty Framework based on lessons from the tender.
