| SOV-1 Strategic Sovereignty | SEAL-4 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-4 | |
| SOV-3 Data & AI Sovereignty | SEAL-3 | |
| SOV-4 Operational Sovereignty | SEAL-3 | |
| SOV-5 Supply Chain Sovereignty | SEAL-3 | |
| SOV-6 Technology Sovereignty | SEAL-3 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-3 | |
| SOV-8 Environmental Sustainability | SEAL-3 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 4. Entirely within the EU | 125/125 | SEAL-4 | high | eu_entity (French-law entity, brand of Dassault Systemes SE, no non-EU parent) -> opt4 (entirely within EU) (src: https://www.3ds.com/newsroom/press-releases/outscale-first-cloud-qualified-secnumcloud-32). |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | high | Owned by Dassault Systemes, a large French/EU industrial software group; takeover/transfer to a non-EU sovereign entity is very unlikely (opt5). |
| SOV-1.3 | Control over roadmap | 4. Full influence of EU actors | 125/125 | SEAL-4 | medium | EU-controlled roadmap with own R&D (TINA OS) and EU governance participation (GAIA-X founder, ANSSI ecosystem) -> opt4 full influence of EU actors. |
| SOV-1.4 | Financial independence from non-EU capital | 5. Entirely EU-based funding | 125/125 | SEAL-4 | high | Funded by French parent Dassault Systemes; no material reliance on non-EU capital (opt5). |
| SOV-1.5 | EU economic contribution | 4. Majority in the EU | 94/125 | SEAL-4 | medium | Operations, engineering, data centers and jobs predominantly in France/EU; majority of economic contribution is in the EU (opt4). |
| SOV-1.6 | Participation in EU strategic programs | 4. Strong participation | 94/125 | SEAL-4 | high | Founding member of GAIA-X and active in EU sovereign-cloud / SecNumCloud initiatives; strong participation (opt4). |
| SOV-1.7 | Alignment with EU industrial strategies | 3. Measured achievement and dedicated governance | 83/125 | SEAL-4 | medium | Sovereign-cloud strategy with measured achievements (first SecNumCloud 3.2 qualification) and dedicated governance aligned with EU digital-sovereignty strategy (opt3). |
| SOV-1.8 | Resilience to cut-off | 5. Full autonomy and continuity | 125/125 | SEAL-4 | medium | own_stack: vertically integrated EU provider with self-developed TINA OS orchestrator, EU ops and documented continuity; foreign chips are residual hardware only -> opt5 full autonomy & continuity. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 3. Exclusively EU law | 167/167 | SEAL-4 | high | Sovereign SecNumCloud offer contracted exclusively under French/EU law -> opt3 (4) (src: https://en.outscale.com/our-certifications/). |
| SOV-2.2 | Extraterritorial laws exposure | 5. Verified legal immunity, non-EU laws unenforceable | 167/167 | SEAL-4 | high | immunity: SecNumCloud 3.2 (key rule c) + pure-FR entity with no non-EU nexus; explicitly protected against extraterritorial law -> opt5 verified legal immunity (4) (src: https://www.3ds.com/newsroom/press-releases/outscale-first-cloud-qualified-secnumcloud-32). |
| SOV-2.3 | Data access pathways for non-EU authorities | 5. Requests always rejected by the provider | 167/167 | SEAL-4 | high | No foreign_parent + immunity: French-law entity not subject to US CLOUD Act/FISA, commits to reject/challenge non-EU compelled access -> opt5 requests always rejected (4) (src: https://www.3ds.com/newsroom/press-releases/outscale-first-cloud-qualified-secnumcloud-32). |
| SOV-2.4 | Export control restrictions | 5. Part of offer shielded from restrictions towards EU MSs/intl orgs | 167/167 | SEAL-4 | medium | EU SecNumCloud sovereign offer shielded from non-EU export-control restrictions toward EU member states and international organisations; foreign chips treated as residual hardware only (consistent with the cluster's SecNumCloud peers) -> opt5 (4) (src: https://en.outscale.com/our-certifications/). |
| SOV-2.5 | Origin of IP | 4. Mostly within the EU | 125/167 | SEAL-4 | medium | Core IP (TINA OS orchestrator and platform software) developed/mastered in France; some embedded firmware/chip IP originates outside EU -> opt4 mostly within EU. |
| SOV-2.6 | IP holder jurisdiction | 4. EU law with exceptions | 125/167 | SEAL-4 | medium | Platform IP held by the French entity/Dassault Systemes under EU law, with some third-party embedded components under non-EU law -> opt4 EU law with exceptions (4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 4. Customer primary control but provider can read data | 150/200 | SEAL-3 | low | Customer-managed encryption/key management offered, but default IaaS means provider retains technical read ability absent dedicated HSM/HYOK -> opt4 customer primary control, provider can read (3). |
| SOV-3.2 | Transparent data flows & access logs | 4. Full customer-controlled visibility, not real-time | 150/200 | SEAL-3 | low | Customer-accessible access logs and usage console; full real-time independent auditability not clearly evidenced -> opt4 full customer-controlled, not real-time (3). |
| SOV-3.3 | Secure deletion & proof of erasure | 4. Deletion technically verified with access logs | 150/200 | SEAL-3 | medium | SecNumCloud 3.2 mandates secure-deletion procedures with logged/traceable erasure operations -> opt4 deletion technically verified with access logs (3); full independent cryptographic proof not published, so not opt5. |
| SOV-3.4 | Data location strictly in EU/EEA | 5. Exclusively EU, no third-country fallback | 200/200 | SEAL-4 | medium | eu_exclusive: the scoped SecNumCloud sovereign offer stores and processes exclusively in EU/France with no third-country fallback (the non-EU regions are a separate product) -> opt5 exclusively EU (4) (src: https://en.outscale.com/our-certifications/). |
| SOV-3.5 | AI services sovereignty | 4. EU-led AI, foreign accelerators | 150/200 | SEAL-3 | medium | EU-led sovereign AI (LLMaaS, OKS) running in the SecNumCloud environment, but compute relies on NVIDIA GPUs (foreign accelerators) -> opt4 EU-led AI, foreign accelerators (3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 4. Formal migration services available | 125/167 | SEAL-4 | medium | AWS EC2/OpenStack-compatible APIs, documented data export and formal migration/reversibility services for a sovereign IaaS -> opt4 (4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 5. Entire stack managed by fully EU-based team | 167/167 | SEAL-4 | high | eu_ops: entire stack operated and maintained by Outscale's France/EU teams with its own orchestrator; no non-EU ops dependency -> opt5 (4). |
| SOV-4.3 | Skill availability in the EU | 4. All EU staff | 125/167 | SEAL-3 | medium | Engineering and operations skills concentrated in France/EU; all-EU staff for the sovereign offer, clearances not universally evidenced -> opt4 (3). |
| SOV-4.4 | Support channels | 4. All support staff in EU | 125/167 | SEAL-3 | high | 24/7 support delivered from France and Europe for the sovereign offer; all support staff in EU -> opt4 (3). |
| SOV-4.5 | Documentation & knowledge transfer | 4. EU-only primary repositories | 125/167 | SEAL-4 | medium | Documentation and knowledge are EU-primary for the French sovereign provider; EU-only primary repositories -> opt4 (4). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 4. Ability to source alternatives or internalise | 125/167 | SEAL-3 | low | Self-developed orchestrator and EU ops allow sourcing alternatives or internalising functions if a non-EU hardware supplier withdraws -> opt4 ability to source alternatives (3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 3. Transparent with exceptions | 72/143 | SEAL-3 | low | Hardware components sourced from non-EU vendors but provenance is transparent to certified/audit processes with exceptions under SecNumCloud -> opt3 transparent with exceptions (3). |
| SOV-5.2 | Manufacturing location | 3. Mixed sourcing, EU audit rights | 72/143 | SEAL-3 | low | Servers built on foreign-designed silicon, integrated/operated by Outscale; mixed sourcing with EU audit rights under SecNumCloud -> opt3 (3). |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/microcode in CPUs/GPUs/NICs originates from non-EU vendors (Intel/AMD/NVIDIA) with only partial disclosure -> opt2 (seal 4 by rubric, no cap). |
| SOV-5.4 | Origin of software | 5. Exclusively designed/maintained by EU teams | 143/143 | SEAL-4 | high | No foreign_core: TINA OS cloud operating system/orchestrator is exclusively developed and maintained by Outscale's EU teams (from open-source components) -> opt5 exclusively EU-maintained (4). |
| SOV-5.5 | Software build/release jurisdiction | 5. EU control + EU policy gates | 143/143 | SEAL-4 | medium | Software built and released under EU control by the French team in a SecNumCloud-qualified environment with EU policy gates -> opt5 (4). |
| SOV-5.6 | Single point of dependency | 4. Few non-EU in non-critical services, documented | 107/143 | SEAL-3 | medium | Critical platform software is EU-controlled (own orchestrator); remaining non-EU vendors are chip/hardware suppliers in non-critical-software role, documented -> opt4 few non-EU non-critical, documented (3). |
| SOV-5.7 | Supply chain transparency | 4. Most suppliers auditable | 107/143 | SEAL-3 | low | SecNumCloud 3.2 imposes supplier auditability; most suppliers auditable through the qualification, full hardware-vendor transparency not fully published -> opt4 most suppliers auditable (3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based AWS-EC2 and OpenStack-compatible APIs with broad tooling compatibility and documented portability -> opt4 (3). |
| SOV-6.2 | Open standards compliance | 4. Policy for most core services | 150/200 | SEAL-3 | medium | Open standards (EC2-compatible API, OpenStack interoperability, Kubernetes) adopted across most core services as policy -> opt4 (3). |
| SOV-6.3 | Open source availability | 3. Open source, centralised governance | 100/200 | SEAL-3 | low | TINA OS built from open-source elements with EU contributions, but the orchestrator is centrally governed -> opt3 open source, centralised governance (3); no foreign_core cap. |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | medium | Public documentation, open bug-bounty (YesWeHack) and architecture insight; not fully customer-extensible -> opt3 some public insight (3). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | medium | HPC/AI on EU-hosted infrastructure but compute stack relies on foreign accelerators (NVIDIA GPUs) and foreign CPUs -> opt2 EU-hosted, foreign stack (3). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Cert->EAL mapping: SecNumCloud 3.2 ~ EAL3-equivalent -> opt4 EAL3 (3) (src: https://en.outscale.com/our-certifications/). |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 5. Fully compliant to all, independently audited | 143/143 | SEAL-4 | high | SecNumCloud 3.2, ISO 27001/27017/27018, HDS, SOC 2 Type 2 (Deloitte), CISPE, TISAX, GDPR/NIS2 alignment -> opt5 fully compliant, independently audited (4). |
| SOV-7.3 | EU-based SOC & incident handling | 4. Entire lifecycle by EU teams, EU threat intel | 107/143 | SEAL-3 | medium | Security operations and incident handling run end-to-end by France/EU teams under SecNumCloud requirements -> opt4 entire lifecycle by EU teams (3). |
| SOV-7.4 | Control over security monitoring/logging | 4. Full direct access, logs stored in EU | 107/143 | SEAL-3 | medium | Customers get direct access to monitoring/logs stored in the EU under SecNumCloud; immutable tamper-proof logging not explicitly evidenced -> opt4 full direct access, EU-stored (3). |
| SOV-7.5 | Disclosure of incidents | 4. Partial compliance, monitored flow, SLAs | 107/143 | SEAL-3 | medium | GDPR/NIS2-aligned incident disclosure with monitored flow and SLAs under SecNumCloud; full real-time CSIRT sharing not specifically documented -> opt4 (3). |
| SOV-7.6 | Maintenance autonomy | 3. Moderate autonomy (notice + testing, except zero-day) | 72/143 | SEAL-4 | medium | Maintenance performed by Outscale's own teams on its own orchestrator with notice and testing; high autonomy for an IaaS -> opt3 moderate autonomy (4). |
| SOV-7.7 | Auditability | 5. Full independent audit by any entity | 143/143 | SEAL-4 | medium | audit_rights: SecNumCloud 3.2 sovereign offer implies full audit rights for the contracting authority and independent EU bodies -> opt5 full independent audit (4). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | low | French sovereign data centers run at high efficiency with an environmental roadmap (ISO 50001); a published PUE below 1.3 is not confirmed, so PUE<1.5 + roadmap is the conservative match -> opt3 (4). |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented sustainable-development and circular hardware-lifecycle practices aligned with Dassault Systemes group; no EU-certified lifecycle claim -> opt3 documented program (3). |
| SOV-8.3 | Environmental impact reporting | 4. Detailed EU methodology | 188/250 | SEAL-3 | medium | Sovereign Carbon Footprint service (Cockpit + API) measures per-customer cloud emissions with a defined methodology, backed by Dassault Systemes CSRD-grade group reporting -> opt4 detailed EU methodology (3); not opt5 (no independent EU audit of the cloud-specific figures published). |
| SOV-8.4 | Energy supplies | 5. Only green EU energy supplies | 250/250 | SEAL-4 | medium | French data centers supplied with 100% renewable energy -> opt5 only green EU energy supplies (4) (src: https://en.outscale.com/our-certifications/). |