| SOV-1 Strategic Sovereignty | SEAL-1 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-1 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-1 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (Linode is a wholly owned subsidiary of US-listed Akamai Technologies, Cambridge MA) -> controlling entity entirely outside the EU -> opt1. (src: https://www.akamai.com/newsroom/press-release/akamai-completes-acquisition-of-linode) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Akamai is a large established US public company; a takeover transferring it to another non-EU sovereign entity is very unlikely (kept per instruction, all-seal-4 factor). |
| SOV-1.3 | Control over roadmap | 2. Through 'voice of the customer' public channels | 42/125 | SEAL-2 | medium | Roadmap is set centrally by Akamai's US product org; EU customers only have 'voice of the customer' input, no governance role -> opt2. |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funded via US public equity markets and Akamai US corporate capital; almost entirely non-EU funding (kept, all-seal-4 factor). |
| SOV-1.5 | EU economic contribution | 2. Some | 31/125 | SEAL-4 | medium | EU data centres and sales/support generate some EU activity, but the bulk of revenue, R&D and employment is outside the EU (kept, all-seal-4 factor). |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No clear participation in EU strategic programs (Gaia-X, IPCEI-CIS); positions itself as a global commercial cloud (kept, all-seal-4 factor). |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No action plan or governance aligning Akamai with EU industrial/digital-sovereignty strategies; strategy is global edge+cloud (kept, all-seal-4 factor). |
| SOV-1.8 | Resilience to cut-off | 3. Can continue temporarily per contractual agreement | 63/125 | SEAL-2 | low | Not own_stack (US-controlled platform on a global US-run stack), but a standard IaaS/PaaS with documented export tooling and contractual terms under which the service could continue temporarily after a cut-off rather than shutting down immediately -> opt3 (seal 2), consistent with US commodity-IaaS peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | Contracts run through Akamai's US parent with EU entities/DPAs; jurisdiction is mixed EU/US, not exclusively EU law -> opt2. (src: https://www.akamai.com/legal/compliance/data-processing-agreement) |
| SOV-2.2 | Extraterritorial laws exposure | 2. Mitigation clauses, exposure remains | 42/167 | SEAL-1 | high | No immunity (US-headquartered group, no SecNumCloud/EUCS-High, no trustee structure); SCC/DPA mitigation clauses but exposure to CLOUD Act/FISA remains -> opt2. |
| SOV-2.3 | Data access pathways for non-EU authorities | 2. Can compel access without notification, specific cases | 42/167 | SEAL-1 | high | foreign_parent -> subject to US CLOUD Act/FISA 702; can be compelled to produce data, in specific cases under gag orders preventing notification -> opt2 (seal 1, caps SEAL at 1). |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | US EAR/OFAC applies to the parent and can restrict service to specific sanctioned EU citizens/orgs, but no EU Member State is under restriction and EU revenue is not a >50% majority -> opt2. |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | Core Linode/Akamai platform IP developed in the US (Philadelphia + Akamai US R&D); origin entirely outside the EU (kept, all-seal-4 factor). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | IP held by Akamai Technologies and Linode LLC under US law, a single non-EU jurisdiction -> opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 2. Primarily provider, not exclusively | 50/200 | SEAL-1 | high | Disk/volume encryption is platform-managed with provider-held keys; no HYOK/BYOK offered, so control is primarily provider-side -> opt2. |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | low | Account/audit and activity logs exist, vendor-controlled, available to customers but not real-time independent oversight of provider access -> opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows internal policy with confirmation on teardown; no cryptographic proof-of-erasure or independent verification published -> opt3 (policy-only). |
| SOV-3.4 | Data location strictly in EU/EEA | 4. EU by default, tightly controlled exceptions | 150/200 | SEAL-1 | medium | No eu_exclusive sovereign offer, but workloads pinned to an EU region (Frankfurt, Amsterdam) keep data in that region under Akamai's data-residency controls: EU-by-default with tightly controlled exceptions rather than a contractual no-third-country guarantee -> opt4 (seal 1). (src: https://www.linode.com/lp/data-sovereignty/) |
| SOV-3.5 | AI services sovereignty | 2. Mostly non-EU: licensed AI, chip dependency | 50/200 | SEAL-2 | high | Akamai Cloud Inference runs on US-origin NVIDIA GPUs/DPUs and the NVIDIA AI Enterprise stack; mostly non-EU AI with hard chip dependency -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | high | Standard documented export methods: open REST API, official Terraform provider, S3-compatible object storage, upstream Kubernetes (LKE) -> opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | medium | No eu_ops: platform engineering and critical operations are run by Akamai's global, predominantly US-based teams -> opt1. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Akamai has EU staff but the cloud/engineering workforce is a global team with the majority outside the EU -> opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Support is global 24/7 follow-the-sun with significant non-EU presence; mixed but majority of capacity outside the EU -> opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge bases are global English-language resources; EU residency is optional and not enforced -> opt2 (seal 2), consistent with US commodity-IaaS peers. |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Critical suppliers (data-centre landlords, NVIDIA, network) are largely non-EU; on an enforced cut-off the service would stop after a delay -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Standard x86 servers and NVIDIA GPUs from non-EU vendors with only partial public disclosure of component provenance -> opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | low | Servers and chips manufactured by non-EU OEMs/foundries (US/Asia), partial disclosure, no EU manufacturing or audit-rights program -> opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/BIOS/BMC and GPU/DPU firmware from non-EU vendors; partial disclosure, no EU certification (kept, all-seal-4 factor). |
| SOV-5.4 | Origin of software | 2. Foreign origin, partial disclosure | 36/143 | SEAL-2 | medium | Core platform software is proprietary US-maintained Akamai/Linode code (foreign-origin, partial disclosure), not maintained by EU teams -> opt2 (seal 2). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Software build/release pipelines are controlled and executed by Akamai's US engineering org -> non-EU control & execution -> opt1. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | low | Critical dependencies (parent company, NVIDIA, data-centre providers) are mostly non-EU and not documented as substitutable -> opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some sub-processors are listed/auditable via SOC 2 reports, but the full supply chain is not independently auditable by customers -> opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 4. Standards-based and broadly compatible | 150/200 | SEAL-3 | medium | Standards-based interfaces: open REST API, S3-compatible storage, upstream Kubernetes (LKE), Terraform provider -> broadly compatible, opt4. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | medium | Open standards (S3 API, Kubernetes/CNCF, Linux, HTTP/TLS) adopted across core compute/storage, but no formal company-wide all-services policy -> opt3. |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | Control plane and platform are proprietary and vendor-controlled; Akamai integrates open source (Kubernetes, KServe, vLLM) but does not open-source its own platform -> opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Substantial public docs, guides and architecture references give some public insight without full openness -> opt3. |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | GPU/HPC capacity is offered in EU regions but built on imported NVIDIA accelerators and stack: EU-hosted on a foreign stack rather than imported black-box with no EU footprint -> opt2 (seal 3), consistent with US commodity-IaaS peers. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 3. EAL2 | 72/143 | SEAL-2 | medium | No SecNumCloud/EUCS-High/Common Criteria EAL, but Akamai's Cloud Computing (Linode) holds ISO/IEC 27001:2022 plus SOC 2 Type II and PCI-DSS; per the key's cert map ISO 27001 + SOC 2 -> EAL2-equivalent -> opt3 (seal 2). (src: https://www.akamai.com/site/en/documents/corporate/2024/iso-iec-27001-certification.pdf) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | GDPR DPAs/SCCs, SOC 2 Type II, ISO 27001:2022 and NIS2/DORA addressing indicate partial compliance with most relevant EU regimes (kept, all-seal-4 factor). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Global SOC/incident-response with a hybrid EU/non-EU footprint; security lifecycle not run end-to-end by EU teams -> opt2. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get an activity/audit-log and monitoring portal with periodic reporting, but the provider retains primary control of platform security monitoring -> opt3 (basic monitoring portal), consistent with US commodity-IaaS peers. |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | medium | Incident disclosure follows GDPR/NIS2-aligned breach-notification practices at a moderate level rather than real-time CSIRT sharing -> opt3. |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | low | Platform patching/maintenance is on Akamai's schedule; customers have limited autonomy over underlying maintenance windows -> opt2 (seal 1). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: assurance is via vendor-controlled SOC 2/ISO audits with limited customer audit access; not full independent audit by any entity -> opt2 (seal 1). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 3. PUE < 1.5 + roadmap | 125/250 | SEAL-4 | medium | High-efficiency facilities (e.g. New Jersey site annualised PUE <1.2) and a 2030 efficiency roadmap; fleet-wide PUE <1.5 with roadmap -> opt3 (seal 4). (src: https://www.akamai.com/why-akamai/sustainability) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Sustainability reporting describes hardware lifecycle/circular practices as a documented program, without EU-certified lifecycle assurance -> opt3 (seal 3). (src: https://www.akamai.com/why-akamai/sustainability) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | high | Annual sustainability report with emissions, renewable share and per-facility metrics, but not under an EU-specific audited methodology -> opt3. (src: https://www.akamai.com/why-akamai/sustainability) |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | medium | Targets 100% renewable by 2030 but currently relies on a mix of EU and non-EU energy across its global fleet (kept, all-seal-4 factor). |