| SOV-1 Strategic Sovereignty | SEAL-0 | |
| SOV-2 Legal & Jurisdictional Sovereignty | SEAL-1 | |
| SOV-3 Data & AI Sovereignty | SEAL-0 | |
| SOV-4 Operational Sovereignty | SEAL-1 | |
| SOV-5 Supply Chain Sovereignty | SEAL-0 | |
| SOV-6 Technology Sovereignty | SEAL-2 | |
| SOV-7 Security & Compliance Sovereignty | SEAL-1 | |
| SOV-8 Environmental Sustainability | SEAL-2 |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-1.1 | EU/EEA legal entity control | 1. Entirely outside the EU | 0/125 | SEAL-1 | high | foreign_parent (Alibaba Group Holding, Hangzhou CN / Cayman-incorporated) -> entity control entirely outside the EU -> SOV-1.1 opt1. (src: https://www.sec.gov/Archives/edgar/data/1577552/000104746915006981/a2225750zf-4.htm) |
| SOV-1.2 | Change of control risk | 5. Very unlikely | 125/125 | SEAL-4 | medium | Already controlled by a non-EU (Chinese) parent and a core strategic asset; a transfer to a *non-EU* sovereign entity is very unlikely (no realistic path), so opt5 per existing all-seal-4 choice. |
| SOV-1.3 | Control over roadmap | 1. No influence possible | 0/125 | SEAL-2 | high | Roadmap set centrally by Alibaba Group in China; no EU-actor governance bodies, only ordinary feedback -> SOV-1.3 opt1 (no influence possible). |
| SOV-1.4 | Financial independence from non-EU capital | 1. Almost entirely relying on non-EU funding | 0/125 | SEAL-4 | high | Funding almost entirely non-EU (Alibaba Group capital, NYSE/HKEX listings, US/Asian institutional investors); no material EU funding base -> opt1 (all-seal-4 factor). |
| SOV-1.5 | EU economic contribution | 1. Minimal | 0/125 | SEAL-4 | medium | EU footprint a small fraction of an overwhelmingly China-centric business; EU economic contribution minimal -> opt1 (all-seal-4 factor). |
| SOV-1.6 | Participation in EU strategic programs | 1. No clear participation | 0/125 | SEAL-4 | medium | No clear participation in EU strategic programs (Gaia-X leadership, IPCEI-CIS); effectively excluded as a Chinese provider -> opt1 (all-seal-4 factor). |
| SOV-1.7 | Alignment with EU industrial strategies | 1. No evidence exists | 0/125 | SEAL-4 | medium | No published action plan aligned with EU industrial strategies; industrial strategy aligns with Chinese national priorities -> opt1 (all-seal-4 factor). |
| SOV-1.8 | Resilience to cut-off | 2. Service would stop, with delay for customer reaction | 31/125 | SEAL-0 | low | No own_stack: continuity depends entirely on the Chinese parent. On forced cut-off (sanctions/withdrawal) the service stops, with some delay for customer reaction -> SOV-1.8 opt2 (seal 0). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-2.1 | Primary legal jurisdiction | 2. Mixed EU/non-EU | 84/167 | SEAL-1 | high | EU contract runs through EU entity/regions (Frankfurt) under EU law, but the group is governed by Chinese law (PRC law dominant over the parent) -> mixed EU/non-EU -> SOV-2.1 opt2. (src: https://www.alibabacloud.com/en/trust-center/compliance) |
| SOV-2.2 | Extraterritorial laws exposure | 1. Fully exposed to non-EU laws | 0/167 | SEAL-1 | high | No immunity: fully exposed to extraterritorial PRC laws (National Intelligence Law Art.7, Cybersecurity Law, Data Security Law) compelling cooperation -> SOV-2.2 opt1. (src: https://www.sec.gov/Archives/edgar/data/1577552/000104746915006981/a2225750zf-4.htm) |
| SOV-2.3 | Data access pathways for non-EU authorities | 1. Can compel access without customer notification | 0/167 | SEAL-1 | high | foreign_parent (PRC): authorities can compel the parent to provide data access without customer notification, no effective refusal -> SOV-2.3 opt1 (caps SEAL at 1). (src: https://www.alibabacloud.com/en/trust-center/compliance) |
| SOV-2.4 | Export control restrictions | 2. Restrictions towards EU citizens or international orgs | 42/167 | SEAL-1 | low | No eu_exclusive shield: subject to Chinese export-control/data-export regimes plus Western sanctions risk affecting EU citizens/international orgs; revenue overwhelmingly China, not majority-EU -> normalised to cluster answer SOV-2.4 opt2 (Restrictions towards EU citizens/intl orgs), consistent with Tencent/Huawei (was opt3, undocumented). |
| SOV-2.5 | Origin of IP | 1. Entirely outside the EU | 0/167 | SEAL-4 | high | IP (Apsara, ECS, OSS, Qwen, T-Head chip IP) developed and owned by Alibaba Group entities in China; origin entirely outside the EU -> opt1 (all-seal-4 factor). |
| SOV-2.6 | IP holder jurisdiction | 1. Non-EU law, single country | 0/167 | SEAL-3 | high | Core IP held by Alibaba Group under Chinese (and Cayman) law - a single non-EU jurisdiction -> SOV-2.6 opt1. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-3.1 | Customer control over encryption keys | 3. Shared - provider has override keys | 100/200 | SEAL-2 | medium | KMS with BYOK/customer-managed keys plus Dedicated/Managed HSM exist, but as a PRC-compellable provider it operates the platform and retains override / can technically read data -> shared keys, provider has override -> normalised to cluster answer SOV-3.1 opt3 (was opt4; provider-cannot-read not credible under PRC law). |
| SOV-3.2 | Transparent data flows & access logs | 3. Logs exist but not real-time / vendor-controlled | 100/200 | SEAL-2 | medium | ActionTrail/CloudMonitor provide access/audit logs but vendor-operated and not real-time independently auditable by the customer -> SOV-3.2 opt3. |
| SOV-3.3 | Secure deletion & proof of erasure | 3. Internal validation per policy, no proof | 100/200 | SEAL-1 | low | Deletion follows internal lifecycle policy (per ISO 27018) with no independent cryptographic proof of irreversible erasure -> SOV-3.3 opt3 (policy-only). |
| SOV-3.4 | Data location strictly in EU/EEA | 2. Partly EU, significant third-country reliance | 50/200 | SEAL-0 | medium | Not eu_exclusive: EU regions (Frankfurt) offer residency but it is a global-default product with a PRC-controlled management plane creating significant third-country exposure and no contractual no-fallback guarantee -> SOV-3.4 opt2 (seal 0 gate; was opt4 which gave seal 1 and broke the SEAL-0 target). (src: https://www.alibabacloud.com/en/press-room/alibaba-cloud-launches-third-datacentre-in-germany) |
| SOV-3.5 | AI services sovereignty | 3. Mixed: auditable/open-source AI, foreign chips | 100/200 | SEAL-2 | medium | AI partly open/auditable (open-source Qwen on Hugging Face/ModelScope) but runs on foreign/Chinese-designed accelerators (Hanguang) fabbed outside the EU -> mixed, not EU-led -> SOV-3.5 opt3. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-4.1 | Portability & interoperability | 3. Standard documented data export methods | 84/167 | SEAL-4 | medium | Standard documented export/API methods (S3-compatible OSS, standard formats) support portability despite higher-level managed-service lock-in -> SOV-4.1 opt3 (seal 4). |
| SOV-4.2 | Ability to operate without foreign dependencies | 1. Critical ops delivered by non-EU teams | 0/167 | SEAL-1 | medium | No eu_ops: critical operations, platform engineering and management plane delivered by non-EU (mainly Chinese) teams; cannot be operated without the parent -> SOV-4.2 opt1. |
| SOV-4.3 | Skill availability in the EU | 2. Mixed, majority outside EU | 42/167 | SEAL-1 | low | Engineering/operational skills concentrated in China; EU staff a minority on regional sales/support -> mixed, majority outside the EU -> SOV-4.3 opt2. |
| SOV-4.4 | Support channels | 2. Mixed, majority outside EU | 42/167 | SEAL-2 | low | Global follow-the-sun support with significant China/Asia presence; some EU support exists but the majority sits outside the EU -> SOV-4.4 opt2. |
| SOV-4.5 | Documentation & knowledge transfer | 2. EU optional, not enforced | 42/167 | SEAL-2 | low | Documentation/knowledge bases are global with primary engineering/content originating in China; EU access is optional, not enforced -> SOV-4.5 opt2 (EU optional). |
| SOV-4.6 | Subcontractor & supplier jurisdiction | 2. Service would stop with delay | 42/167 | SEAL-2 | low | Subcontractors/suppliers largely non-EU (parent group, Chinese/Asian vendors); on disruption the service stops with some delay and no EU-side ability to internalise -> SOV-4.6 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-5.1 | Origin of components (physical parts) | 2. Partial disclosure | 36/143 | SEAL-1 | low | Hardware (T-Head Yitian/Panjiu servers plus third-party components) sourced/assembled outside the EU with only partial provenance disclosure -> SOV-5.1 opt2. |
| SOV-5.2 | Manufacturing location | 2. Foreign origin, partial disclosure | 36/143 | SEAL-1 | medium | Servers/chips foreign-manufactured (China design, TSMC/foundry fabrication) with partial disclosure; no EU manufacturing or EU audit rights -> SOV-5.2 opt2. |
| SOV-5.3 | Embedded code/firmware provenance | 2. Partial disclosure | 36/143 | SEAL-4 | low | Firmware/embedded code in custom T-Head silicon and servers is proprietary, developed in China, with only partial disclosure -> opt2 (all-seal-4 factor). |
| SOV-5.4 | Origin of software | 1. Fully foreign origin, black box | 0/143 | SEAL-0 | high | Beyond foreign_core: core platform software (Apsara, control plane, managed services) is fully foreign-origin, China-maintained and a black box to EU customers -> SOV-5.4 opt1 (seal 0 gate). |
| SOV-5.5 | Software build/release jurisdiction | 1. Non-EU control & execution | 0/143 | SEAL-1 | medium | Build/release pipelines controlled and executed by Alibaba in China; no EU control or EU execution -> SOV-5.5 opt1. |
| SOV-5.6 | Single point of dependency | 2. Mostly non-EU, undocumented | 36/143 | SEAL-1 | medium | Critical dependencies mostly non-EU (Chinese parent for software, operations and chip supply) and largely undocumented for EU sovereignty -> SOV-5.6 opt2. |
| SOV-5.7 | Supply chain transparency | 2. Some suppliers auditable | 36/143 | SEAL-1 | low | Some suppliers auditable via certification reports, but the full supply chain (parent, chip foundries) is not independently auditable by EU customers -> SOV-5.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-6.1 | Interoperability & open interfaces | 3. Mixed (partial openness) | 100/200 | SEAL-2 | medium | Mixed openness: many APIs are AWS/S3-compatible and standards-aligned, but core managed services use proprietary interfaces creating partial lock-in -> SOV-6.1 opt3. |
| SOV-6.2 | Open standards compliance | 3. Partial core adoption | 100/200 | SEAL-2 | low | Open standards adopted in parts of the core (S3 API, standard protocols, Kubernetes/ACK) but no comprehensive policy mandating open standards across all core services -> SOV-6.2 opt3 (partial). |
| SOV-6.3 | Open source availability | 2. Source available for review, strict rights | 50/200 | SEAL-2 | medium | foreign_core: core platform is closed-source and vendor-controlled; though Alibaba open-sources components (Qwen, RISC-V XuanTie), core/key-project governance is centralised under Alibaba in China -> SOV-6.3 opt2 (seal 2). |
| SOV-6.4 | Service architecture transparency | 3. Some public insight | 100/200 | SEAL-3 | low | Some public architectural insight via docs/whitepapers/blogs, but customers cannot adapt or deeply inspect the proprietary platform internals -> SOV-6.4 opt3 (some public insight). |
| SOV-6.5 | HPC sovereignty | 2. EU-hosted, foreign stack | 50/200 | SEAL-3 | low | HPC/accelerated computing in EU regions is EU-hosted but runs a foreign (Chinese/non-EU-designed) hardware+software stack; no EU processor IP or EU fab -> SOV-6.5 opt2 (EU-hosted, foreign stack). |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-7.1 | Security certification (EAL) | 4. EAL3 | 107/143 | SEAL-3 | medium | Holds German BSI C5 (Germany + Singapore) plus ISO 27001 and SOC 2 Type 2; per gating_key BSI C5 maps to EAL3 -> SOV-7.1 opt4 (seal 3; was opt1, which mis-scored a real high-assurance national cloud cert). (src: https://www.alibabacloud.com/en/trust-center/security-compliance-practice) |
| SOV-7.2 | EU regulatory compliance (GDPR/NIS2/DORA) | 4. Partial compliance to most | 107/143 | SEAL-4 | medium | Holds broad certs (ISO 27001/27017/27018/27701, SOC 1/2/3, PCI DSS, German C5, AIC4) with GDPR-aligned commitments -> partial compliance to most -> opt4 (all-seal-4 factor). |
| SOV-7.3 | EU-based SOC & incident handling | 2. Hybrid EU/non-EU | 36/143 | SEAL-1 | low | Security operations global (follow-the-sun) with substantial China-based capability; SOC/incident handling hybrid EU/non-EU -> SOV-7.3 opt2. |
| SOV-7.4 | Control over security monitoring/logging | 3. Basic monitoring portal | 72/143 | SEAL-1 | low | Customers get a monitoring/logging portal (CloudMonitor, ActionTrail) but not full direct control with guaranteed immutable EU-resident log storage -> basic monitoring portal -> normalised to cluster answer SOV-7.4 opt3 (seal 1), consistent with Tencent/Huawei (was opt2). |
| SOV-7.5 | Disclosure of incidents | 3. Moderate (GDPR/NIS2-aligned) | 72/143 | SEAL-2 | low | Incident disclosure moderate and GDPR/NIS2-aligned for EU customers via contract, but without real-time CSIRT/ENISA integration -> SOV-7.5 opt3 (moderate). |
| SOV-7.6 | Maintenance autonomy | 2. Limited autonomy (vendor schedules) | 36/143 | SEAL-1 | low | Maintenance on vendor-controlled schedules with limited customer autonomy over the managed platform -> SOV-7.6 opt2 (limited autonomy). |
| SOV-7.7 | Auditability | 2. Limited independent access | 36/143 | SEAL-1 | low | No audit_rights: auditability limited to certification audits and contractual reports; no full independent EU audit of the platform -> SOV-7.7 opt2. |
| ID | Factor | Value | Score | SEAL | Conf. | Justification |
|---|---|---|---|---|---|---|
| SOV-8.1 | Energy efficiency (PUE) | 4. PUE < 1.3 | 188/250 | SEAL-4 | medium | Alibaba Cloud reports a fleet-average PUE of 1.200 for self-built data centres (FY ending Mar 2024); EU-region independent verification is not confirmed, so opt5 ('PUE<1.2, EU verified') is not met -> SOV-8.1 opt4 (PUE<1.3; was opt5). (src: https://www.alibabagroup.com/en-US/document-1752073403914780672) |
| SOV-8.2 | Hardware reuse & recycling | 3. Documented program | 125/250 | SEAL-3 | low | Documented hardware reuse/recycling program within ESG reporting, but not EU-certified or specifically EU-aligned circular-economy compliant -> SOV-8.2 opt3 (documented program). (src: https://www.alibabagroup.com/en-US/document-1752073403914780672) |
| SOV-8.3 | Environmental impact reporting | 3. Annual report | 125/250 | SEAL-2 | medium | Publishes an annual ESG/carbon report with quantified PUE, clean-energy share and emissions, but on global/Chinese methodology rather than an EU-audited framework -> SOV-8.3 opt3 (annual report). (src: https://www.alibabagroup.com/en-US/document-1752073403914780672) |
| SOV-8.4 | Energy supplies | 3. Mix of EU and non-EU supplies | 125/250 | SEAL-4 | low | Energy a mix of EU and non-EU sources (global clean-energy share ~56%, 100% target by 2030); EU regions draw on a mixed grid -> opt3 (all-seal-4 factor). (src: https://www.alibabagroup.com/en-US/document-1752073403914780672) |